dns best practices

DNS best practices

Best practices

Enter the correct e-mail address of the responsible person for each zone you add to or manage on a DNS server.

This field is used by applications to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. While most Internet e-mail addresses contain the at sign (@) when used in e-mail applications, this symbol must be replaced with a period (.) when entering an e-mail address for this field. For example, instead of "[email protected]", you would use "administrator.microsoft.com".

Be conservative in adding alias records to zones.

Avoid using CNAME resource records (RRs) where they are not needed to alias a host name used in a host (A) resource record. Also, ensure that any alias names you use are not used in other RRs.

DNS allows an owner name of a CNAME resource record to be used as the owner name of the other types of resource records, such as NS, MX, and TXT resource records.

When designing your DNS network use standard guidelines and, wherever possible, follow preferred practices for managing your DNS infrastructure.

DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone.

If you are using Active Directory, use directory-integrated storage for your DNS zones for increased security, fault tolerance, simplified deployment and management.

By integrating zones, you can simplify network planning. For example, domain controllers for each of your Active Directory domains correspond in a direct one-to-one mapping to DNS servers. This can simplify planning and troubleshooting DNS and Active Directory replication problems because the same server computers are used in both topologies.

If you are using directory-integrated storage for your zones, you may select from the different replication scopes that replicate your DNS zone data throughout the directory. If your DNS infrastructure must support Windows 2000 DNS servers, you will use the directory-integrated storage method that replicates DNS zone data to all domain controllers in a domain. If your DNS infrastructure is composed of DNS servers running Windows Server 2003 only, you may also select from replication

of 162

scopes that replicate your DNS zone data to all DNS servers in the Active Directory forest, all DNS servers in a specified Active Directory domain, or all domain controllers specified in a custom replication scope.

Any DNS server hosting a directory-integrated zone is a primary DNS server for that zone. This enables a multimaster model where multiple DNS servers may update the same zone data. A multimaster model eliminates a single point of failure associated with a conventional single-master DNS topology, where updates may only be done to a single DNS server for a given zone.

One of the important benefits of directory integration is the support for secure dynamic update of the names within a zone. For more information, see Dynamic update.

Consider the use of secondary zones to assist in off-loading DNS query traffic wherever it makes sense.

Secondary servers can be used as backups for DNS clients. This allows you to use secondary servers as a means to load balance DNS query traffic on your network and reserve your DNS-enabled primary servers for use only by those clients that need them to perform dynamic registration and updates of their A and PTR RRs.

If you are planning a large DNS design, such as for a large Internet service provider (ISP) that supports the use of DNS, review the following Request for Comments (RFC) documents published by the Internet Engineering Task Force (IETF).

RFC Title 1912 Common DNS Operational and Configuration Errors2182 Selection and Operation of Secondary DNS Servers2219 Use of DNS Aliases for Network Services

You can obtain these RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents.

How to...

Install and Configure Servers

Install and Configure Clients

Manage Servers

Optimize Servers of 162

http://technet.microsoft.com/en-us/library/cc784052(WS.10).aspx






http://go.microsoft.com/fwlink/?LinkId=240

Monitor Servers

Add and Remove Zones

Configure Zone Properties

Manage Zones

Manage Resource Records

Use Aging and Scavenging

Install and configure servers

Install a DNS server

Configure a DNS server for use with Active Directory

Verify DNS registration for domain controllers using the nslookup command

Configure a new DNS server

Modify security for the DNS Server service on a domain controller

Add a secondary server for an existing zone

Install a caching-only DNS server

Restrict a DNS server to listen only on selected addresses

Configure a DNS server to use forwarders

Create the default DNS application directory partitions

Create a DNS application directory partition

Enlist a DNS server in a DNS application directory partition

Remove a DNS server from a DNS application directory partition

To install a DNS server

1. Open Windows Components Wizard.

2. In Components, select the Networking Services check box, and then click Details.

3. In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.

4. If prompted, in Copy files from, type the full path to the distribution files, and then click OK.

of 162




















Required files are copied to your hard disk.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

To open the Windows Components Wizard, click Start, click Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components.

Certain Windows components require configuration before they can be used. If you installed one or more of these components but did not configure them, when you click Add/Remove Windows Components, a list of components that need to be configured is displayed. To start the Windows Components Wizard, click Components.

It is recommended that you manually configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients configured to use that DNS server's previous IP address will be unable to resolve the previous IP address and locate the DNS server.

After you install a DNS server, you can decide how to administer it and its zones. Although you can use a text editor to make changes to server boot and zone files, this method is not recommended. The DNS console and the DNS command-line tool, dnscmd, simplify maintenance of these files and should be used whenever possible. Once you begin using console-based or command-line management of these files, manually editing them is not recommended. For more information, see Related Topics.

DNS zones stored in Active Directory can be administered using the DNS console or the dnscmd command-line tool only. These zones cannot be administered using a text editor.

If you uninstall a DNS server hosting Active Directory-integrated zones, these zones will be saved or deleted according to their storage type. For all storage types, the zone data is stored on other domain controllers or DNS servers and will not be deleted unless the DNS server that you uninstall in the last DNS server hosting that zone.

If you uninstall a DNS server hosting standard DNS zones, the zone files will remain in the systemroot\system32\Dns directory, but they will not be reloaded if the DNS server is reinstalled. If you create a new zone with the same name as an old zone, the old zone file is replaced with the new zone file.

of 162

When writing DNS server boot and zone data to text files, DNS servers use the Berkeley Internet Name Domain (BIND) file format recognized by legacy BIND 4 servers, not the more recent BIND 8 format.

Information about functional differences

Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

To configure a DNS server for use with Active Directory

When Active Directory is installed using the Active Directory Installation Wizard, the option to automatically install and configure a local DNS server for use is provided.

To install Active Directory on this computer, use the Active Directory Installation Wizard. For more information, see Related Topics.

Notes


This procedure only applies to server computers used as domain controllers. If member servers are used as DNS servers, they are not integrated with Active Directory.

If you choose the Active Directory Installation Wizard option to automatically install and configure a local DNS server, the DNS server is installed on the computer where you are running the wizard and the computer's preferred DNS server setting is configured to use the new local DNS server. You will also want to configure any other computers that will join this domain to use this DNS server's IP address as their preferred DNS server.

This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

To verify DNS registration for domain controllers using the nslookup command

1. Open Command Prompt.

of 162



2. Type:

nslookup

3. After the previous command completes, at the nslookup (">") prompt type:

set q=rr_type

4. After the previous command completes, type:

_ldap._tcp.dc._msdcs.Active_Directory_domain_name

5. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed:

o If the query succeeded, review the registered SRV RRs returned in the query to determine if all domain controllers for your Active Directory domain are included and registered using valid IP addresses.

o If the query failed, continue troubleshooting dynamic update or DNS server related issues to determine the exact cause of the problem.

Value Description nslookup The name of the command-line program.

_ldap._tcp.dc._msdcs. Active_Directory_domain_name

The DNS name configured for use with your Active Directory domain and any of its associated domain controllers.

For example, if the DNS domain name of your Active Directory domain is example.microsoft.com, type:

_ldap._tcp.dc._msdcs.example.microsoft.com.set q= The command to send the query to the root server.

rr_type

The resource record (RR) type to apply as a filter for subsequent lookups.

For example, in this instance, because you want to limit subsequent name queries to filter and return only service location (SRV) RRs that use a specified name, type:

set q=srv

Notes

of 162

Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

To view the complete syntax for this command, at a command prompt, type:

nslookup, press Enter and then type help

In some cases, when performing the above procedure, you might see several time-outs reported. This happens when reverse lookup is not configured for DNS servers servicing the same DNS domain as your Active Directory domain.

The following is an example of command-line output for an Nslookup session, used to verify service location (SRV) resource records that are registered by domain controllers. In this example, the two domain controllers are dc1 and dc2 and are registered for the "example.microsoft.com" domain.

C:\nslookup Default Server: dc1.example.microsoft.com Address: 10.0.0.14 set type=srv _ldap._tcp.dc._msdcs.example.microsoft.com Server: dc1.example.microsoft.com Address: 10.0.0.14 _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location: priority = 0 weight = 0 port = 389 svr hostname = dc1.example.microsoft.com _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location: priority = 0 weight = 0 port = 389 svr hostname = dc2.example.microsoft.com dc1.example.microsoft.com internet address = 10.0.0.14 dc2.example.microsoft.com internet address = 10.0.0.15 The nslookup command is a standard command-line tool provided in most DNS

service implementations. It offers the ability to perform query testing of DNS servers and obtain detailed responses as the command output. This information is useful in troubleshooting name resolution problems, verifying that resource records (RRs) are added or updated correctly in a zone, and debugging other server-related problems.

Verify that resource records used to register services and critical hosts, such as domain controllers, are correctly added to zones.

In some cases, you might need to manually add or verify registration of the service

of 162

location (SRV) resource records used to support Windows Server 2003 domain controllers.

To add the SRV resource records that have been created for a domain controller, open and view the Netlogon.dns file, created by the Active Directory Installation wizard when a server computer is promoted to a domain controller. It can be found at:

systemroot\System32\Config\Netlogon.dns

The resource records used in this file are listed in RFC-compliant text-file format. When verifying these records, look for the following records:

_ldap._tcp.Active_Directory_domain_name IN SRV 0 0 389 ldap_server_name _ldap._tcp.dc._msdcs.Active_Directory_domain_name IN SRV 0 0 389 domain_controller_name

In some cases, you might need to modify the Lightweight Directory Access Protocol (LDAP) server name if you are using a non-domain controller as an LDAP server for your network.

The Net Logon service on each domain controller registers, as appropriate, a number of different DNS resource records with DNS servers. To learn more about these records and how Net Logon updates DNS, obtain additional technical information on DNS available from the Microsoft Web site. For more information, see Related Topics.

To configure a new DNS server

Using the Windows interface

Using a command line


1. Open DNS.

2. If needed, add and connect to the applicable server in the console.

3. In the console tree, click the applicable DNS server.

Where?

o DNS/Applicable DNS server

4. On the Action menu, click Configure a DNS Server.

5. Follow the instructions in the Configure a DNS Server Wizard.

of 162

http://technet.microsoft.com/en-us/library/cc739606(WS.10).aspx#BKMK_cmd

http://technet.microsoft.com/en-us/library/cc739606(WS.10).aspx#BKMK_winui

Notes


To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.

If the DNS server is running locally, you do not need to perform step 2.

As a best practice, use the checklist for installing a new DNS server. For more information, see Related Topics.

When you finish configuring the server, you might need to complete additional tasks, such as enabling dynamic updates for its zones or adding resource records to its zones.



2. Type:

dnscmdServerName/Config {ZoneName|..AllZones} Property {1|0}

Value Description

dnscmd Specifies the name of the command-line tool.

ServerName Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/Config Specifies the configuration command.

{ZoneName|..AllZones}Specifies the name of the zone to be configured. To apply the configuration for all zones hosted by the specified DNS server, type ..AllZones.

Property

Specifies the server property or zone property to be configured. There are different properties available for servers and zones. For a list of the available properties, at the command prompt, type: dnscmd /Config /help.

{1|0} Sets configuration options to either 1 (on) or 0 (off). Note that some

of 162

server and zone properties must be reset as part of a more complex operation.

Notes



This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics.


dnscmd/Config/help

As a best practice, use the checklist for installing a new DNS server provided in the online Help. For more information, see Related Topics.

When you finish configuring the server, you might need to complete additional tasks, such as enabling dynamic updates for its zones or adding resource records to its zones.

To modify security for the DNS Server service on a domain controller

1. Open DNS.

2. In the console tree, right-click the applicable server, and then click Properties.

3. On the Security tab, modify the list of member users or groups that are allowed to administer the applicable server.

Notes

To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.


of 162





Active Directory access control lists (ACLs) are only supported for the DNS Server service when it is running on a domain controller.

The security settings determine who can administer the server, but do not affect the ACLs for the zones and resource records hosted on the server. To apply security settings for DNS zones and resource records, see Related Topics.


To add a secondary server for an existing zone




1. Open DNS.


Where?


3. On the Action menu, click New Zone.

4. Follow the instructions in the New Zone Wizard.

When adding the zone, select Secondary zone as the zone type.

Notes



If the DNS server is running locally, you do not need to perform step 2.

In order to add a secondary server for an existing zone, you need to have network access to the server acting as the master server for this server and its use of the zone. The master server acts as the source for zone data. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed.

of 162






2. Type:

dnscmdServerName /ZoneAdd ZoneName /Secondary MasterIPaddress...[/file FileName]

Value Description



/ZoneAdd Required. Adds a zone.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the secondary zone you are adding. The zone name must be the same as the primary zone from which the secondary zone is created.

/Secondary Required. Adds a secondary zone type.

MasterIPaddress... Required. Specifies one or more IP addresses for the master servers of the secondary zone, from which it copies zone data.

/file Specifies the command to use a file.

FileName Specifies the name of the file to use for creating the secondary zone.

Notes




of 162


dnscmd/ZoneAdd /help

To add a secondary server for an existing zone, you need to have network access to the server acting as the master server for this server and its use of the zone. The master server acts as the source for zone data. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed.

To install a caching-only DNS server

1. To install a caching-only DNS server, install a DNS server on the server computer.

2. Do not configure the DNS server (as you might normally) to load any zones.

3. Verify server root hints are configured or updated correctly.

For more information, see Related Topics.

Notes


Caching-only DNS servers do not host any zones and are not authoritative for a particular domain. They are DNS servers that build a local server cache of names learned while performing recursive queries on behalf of their clients. This information is then available from its cache when answering subsequent client queries.

A caching-only DNS server can be valuable at a site where DNS functionality is needed locally but it is not administratively desirable to create a separate domain or zone for that location.

It is strongly recommended that, when operating the computer as a DNS server, you manually configure TCP/IP and use a static IP address.

To restrict a DNS server to listen only on selected addresses




1. Open DNS. of 162




Where?

o DNS/applicable DNS server

3. On the Action menu, click Properties.

4. On the Interfaces tab, click Only the following IP addresses.

5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.

6. As needed, repeat the previous step to specify other server IP addresses to be enabled for use by this DNS server.

If you need to remove an IP address from the list, click it and then click Remove.

Notes



By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

Server IP addresses that are added here need to be statically managed. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server, update this list accordingly.

After you update or revise the list of restricted interfaces, you need to stop and restart the DNS server to apply the new list.

Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, will have access to the server.



2. Type:

dnscmd ServerName /ResetListenAddresses [ListenAddress ...]

Value Description of 162



/ResetListenAddresses Required. Resets the IP addresses of the interfaces on which the DNS server listens.

ListenAddress...

Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

Notes





dnscmd ServerName /ResetListenAddresses /help

Server IP addresses that are added here need to be statically managed. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server, update this list accordingly.

After you update or revise the list of restricted interfaces, you need to stop and restart the DNS server to apply the new list.

Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, will have access to the server.

To configure a DNS server to use forwarders



of 162




1. Open the DNS snap-in.

2. In the console tree, click the applicable Domain Name System (DNS) server.

Where?



4. On the Forwarders tab, click Edit.

5. Type the IP address for the fully qualified domain name (FQDN) of a forwarder, and then click OK.

Notes



By default, the DNS server will wait 5 seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds before forward queries time out, you can change the number of seconds the DNS server will wait. When the server has exhausted all forwarders, it will attempt standard recursion.

If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the Do not use recursion for this domain check box.

You can disable recursion for the DNS server so that it will not perform recursion on any query. If you disable recursion on the DNS server, you will not be able to use forwarders on the same server. For more information about disabling recursion on the DNS server, see Related Links.

Do not enter a forwarder's IP address more than once in a DNS server's forwarders list because it is a more reliable or geographically closer server. If one of the forwarders is preferred, that forwarder should be ordered first in the series of forwarder IP addresses.

Problems associated with forwarders often result from inefficient configurations and overuse.



2. Type:

of 162

dnscmdServerName/ZoneAddZoneName/ForwarderMasterIPaddress ... [/TimeOut Time] [/Slave]

Value Description




ZoneName Required. Specifies the FQDN of the zone.

/Forwarder

Required. Specifies the command to configure a forwarder. When configuring forwarders on DNS servers running on Active Directory domain controllers, you must use /DsForwarder in place of /Forwarder. /DsForwarder will replicate the forwarder setting to all DNS servers running on domain controllers in an Active Directory domain.

MasterIPaddress... Required. Specifies a space-separated list of one or more IP addresses of the DNS servers where queries for ZoneName are forwarded. You may specify a list of space-separated IP addresses.

/TimeOut Specifies the timeout setting. The timeout setting is the number of seconds before unsuccessful forward queries time out.

Time Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is 5 seconds.

/Slave Determines whether or not the DNS server uses recursion when querying for the domain name specified by ZoneName.

Notes



of 162

This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Links.


dnscmd/ZoneAdd/help

To view a zone added for use as only a conditional forwarder, use the following command:

dnscmdServerName/ZoneInfoZoneName

To reset the forwarder IP addresses for a conditional forwarder domain name, type:

dnscmdServerName/ZoneResetMastersZoneName [/Local] [ServerIPs]

The /Local parameter sets the local master list for Active Directory–integrated forwarders, and the ServerIPs parameter is the list of one or more IP addresses of master servers for the zone. Master servers may include DNS servers that host primary or secondary copies of the zone, but they should not include DNS server IP addresses in such a way that two DNS servers hosting copies of a zone use each other as master servers. Such a configuration would make the forwardering path cyclical.

To reset the standard, nonconditional forwarder for a DNS server, type:

dnscmdServerName/ResetForwarders [IPAddress ...] [ /[No]Slave ] [/TimeOut Time]

The parameter IPAddress is the IP address where the DNS server will forward unsolvable DNS queries. The /Slave parameter sets the DNS server as a subordinate server. The /NoSlave parameter (default setting) sets the DNS server as a nonsubordinate server, meaning that it will perform recursion. The /Timeout and Time parameters are described in the table above.

You cannot use a domain name in a conditional forwarder if the DNS server hosts a primary, secondary, or stub zone for that domain name. For example, if a DNS server is authoritative for the domain name example.microsoft.com (hosts the primary zone for that domain name), you cannot configure that DNS server with a conditional forwarder for example.microsoft.com.

Problems associated with forwarders often result from inefficient configurations and overuse.

To create the default DNS application directory partitions




1. Open DNS.

2. In the console tree, right-click the applicable DNS server.

of 162

http://technet.microsoft.com/en-us/library/cc739505(WS.10).aspx#BKMK_command


o Where?


3. Click Create Default Application Directory Partitions.

4. Follow the instructions to create the DNS application directory partitions.

Notes

By default, only members of the Enterprise Admins group can create a DNS application directory partition.


By default, the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. If the DNS Server service is unable to do this, the administrator can manually create the application directory partitions using this procedure.

If the default DNS application directory partitions are currently available in Active Directory, the option to create the default application directory partitions in the DNS console will not be available.

The following table describes the options available when creating the DNS default application directory partitions.

Option Partition name Description

Create a single application directory partition that stores DNS zone data and replicates that data to all DNS servers in the domain

DomainDnsZones.DnsDomainName

DNS application directory partition for each domain in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the domain.

Create a single application directory partition that stores DNS zone data and replicates that data to all DNS servers in the forest

ForestDnsZones.DnsForestName

DNS application directory partition for the entire forest. It contains all the DNS servers running on the domain controllers in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the forest.

of 162

Notes

By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. Once the default DNS application directory partitions are created, Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain controller hosting the default DNS application directory partitions.

For more information about creating and deleting an application directory partition, see Related Topics.



2. Type:

dnscmd ServerName /CreateBuiltinDirectoryPartitions {/Domain|/Forest|/AllDomains}

Value Description


ServerName

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/CreateBuiltinDirectoryPartitions Required. Creates a default application directory partition.

{/Domain|/Forest|/AllDomains}Required. Specifies which default application directory partition to create. Do one of the following:

To create a default domain-wide DNS application directory partition for the Active Directory domain where the specified DNS server is located, type /Domain.

To create a default forest-wide DNS application directory partition for the Active Directory forest where the specified DNS server is located, type /Forest.

To create a default domain-wide DNS application directory partitions on a DNS server in each domain in the Active Directory forest where the user running this command is

of 162

logged on, type /AllDomains.

The ServerName parameter is ignored for /AllDomains. The computer on which this command is run must be joined to a domain in the forest where you want to create all of the default domain-wide application directory partitions.

Notes





dnscmd /CreateDirectoryPartition /?

By default, the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. If the DNS Server service is unable to do this, the administrator can manually create the application directory partitions using this procedure.

If the default DNS application directory partitions are currently available in Active Directory, the option to create the default application directory partitions in the DNS console will not be available.

The following table describes the options available when creating the DNS default application directory partitions.

Option Partition name Description

Create a single application directory partition that stores DNS zone data and replicates that data to all DNS servers in the domain

DomainDnsZones.DnsDomainName

DNS application directory partition for each domain in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the domain.

Create a single ForestDnsZones.DnsForestName DNS application directory partition

of 162

application directory partition that stores DNS zone data and replicates that data to all DNS servers in the forest

for the entire forest. It contains all the DNS servers running on the domain controllers in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the forest.

Notes

By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. Once the default DNS application directory partitions are created, Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain hosting the default DNS application directory partitions.


To create a DNS application directory partition


2. Type:

dnscmd ServerName /CreateDirectoryPartitionFQDN

Value Description dnscmd Specifies the name of the command-line tool.


/CreateDirectoryPartition Required. Creates a DNS application directory partition.

FQDN Required. Specifies the name of the new DNS application directory partition. You must use a DNS fully qualified domain name (FQDN).

of 162

Notes





dnscmd /CreateDirectoryPartition /?

To enlist a DNS server in a DNS application directory partition


2. Type:

dnscmdServerName/EnlistDirectoryPartitionFQDN

Value Description dnscmd Specifies the name of the command-line program.


/EnlistDirectoryPartition Required. Enlists a DNS server in a DNS application directory partition.

FQDN Required. Specifies the fully qualified domain name (FQDN) of the DNS application directory partition.

Notes



of 162







dnscmd /EnlistDirectoryPartition /?


To remove a DNS server from a DNS application directory partition


2. Type:

dnscmdServerName/UnenlistDirectoryPartitionFQDN

Value Description dnscmd Specifies the name of the command-line program.


/UnenlistDirectoryPartition Required. Removes a DNS server from a DNS application directory partition.

FQDN Required. Specifies the fully qualified domain name (FQDN) of the DNS application directory partition from which you are removing the DNS server specified by ServerName.

Notes




of 162


dnscmd /UnenlistDirectoryPartition /?


Install and configure clients

Configure DNS for static clients

Enable DNS for DHCP-enabled clients

Configure the primary DNS suffix for a client computer

Preload the client resolver cache

Display and view a client resolver cache using the ipconfig command

Flush and reset a client resolver cache using the ipconfig command

Renew DNS client registration using the ipconfig command

To configure DNS for static clients

To configure DNS for clients with statically configured IP addresses, you likely need to configure the following:

1. DNS host name (or names) for the client computer.

2. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names.

3. A list of DNS suffixes to be appended for use in completing unqualified DNS names, which are used for searching and submitting DNS queries at the client for resolution.

4. Connection-specific dynamic update and registration behavior, such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server.

Notes


of 162








For more information about how to configure DNS for static clients not running Windows XP, see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for these clients.

By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see Related Topics.

By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone named with a single-label name is considered a TLD zone, for example, com, edu, blank, my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or modify the registry.

To enable DNS for DHCP-enabled clients

To configure DNS for clients with dynamically configured IP addresses provided by a DHCP server, you generally need to configure the following at either the DHCP server or applicable clients:

1. DNS host name (or names) for the client computer.

For DHCP clients, this must be set at the client computer or assigned during unattended setup.

2. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names.

For DHCP clients, this can be set by assigning the DNS server option (option 6) and providing a configured list of ordered IP addresses for the DNS servers that the client is configured to use.

3. A list of DNS suffixes to be appended for use in completing unqualified DNS names used for searching and submitting DNS queries at the client for resolution.

For DHCP clients, this can be set by assigning the DNS domain name option (option 15) and providing single DNS suffix for the client to append and use in searches. To configure additional DNS suffixes, configure TCP/IP manually for DNS configuration.

4. Connection-specific dynamic update and registration behavior, such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server.

For DHCP clients, the default is for client connections to register their

of 162

configured IP addresses with a DNS server. To modify this behavior at the client, configure TCP/IP manually for DNS configuration.

Notes


For more information on how to configure other DNS for DHCP clients, see the applicable TCP/IP or DNS documentation provided by the appropriate vendor.

By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see Related Topics.

By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone named with a single-label name is considered a TLD zone, for example, com, edu, blank, my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or modify the registry.

To configure the primary DNS suffix for a client computer

1. Open System in Control Panel.

2. Click the Computer Name tab.

This tab displays the computer name, the workgroup or domain to which it belongs, and a brief description of the computer.

3. Click Change, and then click More.

4. In DNS Suffix and NetBIOS Computer Name, do the following:

For Primary DNS suffix of this computer, specify the DNS suffix to be appended to the name of this computer when completing its fully qualified domain name (FQDN).

5. After applying these changes, restart the computer to initialize it with its new DNS domain name.

6. If the computer has been previously installed and configured as a DNS server, verify that zone authority records are updated.

These include the start of authority (SOA) and name server (NS) resource records, substituting the new FQDN to replace the single label name previously in use. For more information, see Related Topics.

of 162

Notes


To open System, click Start, point to Settings, and then click Control Panel. In Control Panel, double-click System.

For more information about how to configure the primary DNS suffix for other clients and servers, see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for your other clients.

By default, the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. To allow different primary DNS suffixes, a domain administrator can create a restricted list of allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the domain object container. This attribute is managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP).

To preload the client resolver cache

1. At the client computer, open Command Prompt.

2. At the command prompt, type the following command:

notepad %systemroot%\system32\drivers\etc\hosts

3. Using the default entry in the file (a mapping for the local host to the loopback IP address, 127.0.0.1), add additional host name-to-address mappings on separate lines to be preloaded into the resolver cache of the client. For example, you might add:

10.0.0.1 host-a host-a.example.microsoft.com

4. On the File menu, click Save, and then Exit.

5. As an option, you can verify that your changes have been updated in the resolver cache by viewing its contents.

Notes


of 162


To open Notepad, click Start, point to All programs, point to Accessories, and then click Notepad.

Entries you add are always answered first from the local resolver cache and not sent to the DNS query when queries are made locally to resolve these names to host (A) resource records.

Every line in the Hosts file should contain an IP address followed by one or more host names. For example, you could add a line such as the following with an IP address (10.0.0.1) that maps to more than one DNS host name:

10.0.0.1 host-a host-a.example.microsoft.com host-b.example2.microsoft.com

Likewise, a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines. For example, you could add lines for the following multi-homed or multi-addressable DNS host computer:

10.0.0.1 host-a.example.microsoft.com



When multiple names or IP addresses are used in the file, the DNS Client service must be running for all entries to be returned or used in answering queries. If the DNS Client service is not running, only the first entry in the file is used to resolve the query.

To display and view a client resolver cache using the ipconfig command


2. Type:

ipconfig /displaydns

Value Description ipconfig The name of the command-line program./displaydns The command to display a client resolver cache.

Notes

of 162




ipconfig /help

To pause the display of the command output to one screen at time, type ipconfig /displaydns|more.

The ipconfig /displaydns command provides you with a means to view the contents of the DNS client resolver cache, which includes entries preloaded from the local Hosts file, as well as any recently obtained resource records for name queries resolved by the system. This information is used by the DNS Client service to quickly resolve frequently queried names before it queries its configured DNS servers.

When the ipconfig /displaydns command is used to display current resolver cache contents, the resultant output generally includes the local host and loopback IP address (127.0.0.1) mappings. This is because these mappings typically exist in the default (unmodified) contents of the local Hosts file.

After you can add host mapping entries to the local Hosts file and save the file, these entries are added to the displayed output of this command. For more information, see Related Topics.

The resolver cache can also support negative caching of unresolved or non-valid DNS names. These entries are added by the DNS Client service when it receives a negative answer from a DNS server for a queried name. The negative result is cached for a short period of time so that it is not again queried, which could cause query performance problems.

During DNS troubleshooting, you can flush and reset the cache to discard negative entries from the cache and any other dynamically added entries that were not preloaded. For more information, see Related Topics.

Although the ipconfig command is provided for earlier versions of Windows, the /displaydns option is only available for use on computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems.

To flush and reset a client resolver cache using the ipconfig command


of 162

2. Type:

ipconfig /flushdns

Value Description ipconfig The name of the command-line program./flushdns The command to flush and reset a client resolver cache.

Notes




ipconfig /help

The ipconfig /flushdns command provides you with a means to flush and reset the contents of the DNS client resolver cache. During DNS troubleshooting, if necessary, you can use this procedure to discard negative cache entries from the cache, as well as, any other dynamically added entries.

Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. To eliminate those entries from the cache, remove them from this file. For more information, see Related Topics.

Although the ipconfig command is provided for earlier versions of Windows, the /flushdns option is only available for use on computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems.

To renew DNS client registration using the ipconfig command


2. Type:

ipconfig /registerdns

of 162

Value Description ipconfig The name of the command-line program./registerdns The command to renew DNS client registration.

Notes




ipconfig /help

An additional command to /registerdns is to type:

ipconfig /registerdns [adapter]

Where adapter is the name of a specific network adapter installed on the computer for which you want to renew or update registrations.

The ipconfig /registerdns command provides you with a means to manually initiate dynamic registration for the DNS names and IP addresses configured at a computer. This option can assist in troubleshooting a failed DNS name registration or in resolving a dynamic update problem between a client and the DNS server without restarting the client.

By default, the ipconfig /registerdns command refreshes all DHCP address leases and registers all related DNS names configured and used by the client computer.

To learn the names of adapters that you can optionally specify with this command, first type the ipconfig command by itself (that is, do not specify any additional parameters). The command output displays all adapters by name that are available for use at the computer.

Although the ipconfig command is provided for earlier versions of Windows, the /registerdns option is only available for use on computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems.

On computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems, the DHCP Client service is used to perform dynamic registrations and updates, regardless of whether the computer uses a DHCP server or static configuration to obtain its IP address.

of 162

If you are troubleshooting a failed DNS dynamic registration for a client computer and its DNS names, it might help to verify that the cause is not related to one of the following commonly known causes for such failures:

1. The zone where the client requires update or registration is not able to accept dynamic updates.

2. The DNS servers that the client is configured to use do not support or recognize the DNS dynamic update protocol.

3. The primary (or directory-integrated) DNS server for the zone refused the update request. This can most likely occur because the client is not permitted under current zone or resource records security sufficient access rights to update its own name.

4. The server or zone is not available because of other problems, such as a network or server failure.

Manage servers

Open the DNS console

Start or stop a DNS server

Add a server to the DNS console

Remove a server from the DNS console

Manually update server data files

Change the boot method used by the DNS server

Change the name-checking method used by the DNS server

Restrict NS resource record registration

Allow NS record creation for specific domain controllers

Restrict DNS resource records updated by Netlogon

To open the DNS console

Open DNS.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If

of 162











the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.


The DNS console is an administrative tool for managing DNS servers running Windows Server 2003 family operating systems only. For more information, see Related Topics.

To start or stop a DNS server

1. Open DNS.


Where?


3. On the Action menu, point to All Tasks and then click one of the following:

o To start the service, click Start.

o To stop the service, click Stop.

o To interrupt the service, click Pause.

o To stop and then automatically restart the service, click Restart.

Notes



After you pause or stop the service, on the Action menu, in All Tasks, you can click Resume to immediately resume service.

of 162

When using registry-based configuration, changes are applied to DNS servers only when the DNS Server service is re-initialized. In these cases, if a DNS value is manually changed directly in the registry, the DNS Server service must always be restarted for the new value to be used.

To add a server to the DNS console

1. Open DNS.

2. On the Action menu, click Connect To DNS Server.

3. In Connect to DNS Server, click either:

o This computer, if the server you want to connect to and manage is located on the same computer you are using to manage it.

o The following computer, if the server you want to connect to and manage is located on a remote computer.

If you choose to connect to a remote server, specify either its DNS computer name or its IP address.

4. Select the Connect to the specified computer now check box, and then click OK.

Notes



The DNS console is a Microsoft Management Console (MMC) administrative tool for managing DNS servers running Windows Server 2003 operating systems only. For more information, see Related Topics.

If you use the Windows Server 2003 DNS console to administer a Windows 2000 DNS server, any new features will not be available when viewing the Windows 2000 DNS server.

To remove a server from the DNS console

1. Open DNS.

of 162


Where?


3. On the Action menu, click Delete.

4. When prompted to confirm you want to delete this server from the list, click OK.

Notes



To manually update server data files




1. Open DNS.


Where?


3. On the Action menu, click Update Server Data Files.

Notes



of 162



For standard primary zones, this procedure causes the DNS server to immediately write its in-memory changes out to disk for storage with the zone file. Normally these changes are only written at predefined update intervals and when the DNS server is shut down.

For Active Directory-integrated zones, this procedure does not apply. To update Active Directory-integrated zones, see the command-line procedure below.



2. Type:

Dnscmd ServerName /ZoneUpdateFromDs ZoneName

Value Description



/ZoneUpdateFromDs Required. Updates the zone file with data from Active Directory.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone you are updating.

Notes





dnscmd/ZoneUpdateFromDs/help

The command-line procedure updates Active Directory-integrated zones only. For standard zones, see the Windows interface procedure above.

of 162

To change the boot method used by the DNS server

1. Open DNS.

2. In the console tree, right-click the applicable DNS server, then click Properties.

3. Click the Advanced tab.

4. In the Load zone data on startup list, select From registry, From file, or From Active Directory and registry.

Notes



By default, DNS servers use information stored in the registry to initialize for service and load any zone data for use at the server. As added options, you can configure the DNS server to boot from a file or, in Active Directory environments, you can supplement local registry data with zone data retrieved for directory-integrated zones stored in the Active Directory database. If you use the file method, the file used must be a text file named Boot, located on this computer in the systemroot\Windows\System32\Dns folder.

To change the name-checking method used by the DNS server

1. Open DNS.



4. In the Name checking list, select Strict RFC (ANSI), Non RFC (ANSI), Multibyte (UTF8), or All names.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be

of 162

able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.


The DNS Server service supports different possible methods for checking the names it receives and processes during normal operations:

o Strict RFC (ANSI) This method strictly enforces RFC-compliant naming rules for all DNS names that the server processes. Names that are not RFC-compliant are treated as erred data by the server.

o Non RFC (ANSI) This method allows names that are not RFC-compliant to be used with the DNS server, such as names that use ASCII characters but are not compliant with RFC host naming requirements.

o Multibyte (UTF8) This method allows names that use the Unicode 8-bit translation encoding scheme, which is a proposed RFC draft, to be used with the DNS server.

By default, the server uses Multibyte (UTF8) to check names.

o All names Allows Non RFC (ANSI), Strict RFC (ANSI), and Multibyte (UTF8) naming conventions.

To restrict NS resource record registration




1. Open Registry Editor.

Caution

o Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

2. In Registry Editor, navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

3. Add the following REG_DWORD value:

DisableNSRecordsAutoCreation

of 162



4. Assign a value of 0x1.

The REG_DWORD value is a local DNS server setting and applies to DNS zones for which this DNS server is authoritative.

Notes


To open Registry Editor, click Start, click Run, type regedit, and then click OK.

This procedure restricts NS resource records registered for Active Directory domain controllers only.

To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone, you may assign a value of 0x0 or enter no value (default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.

If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted.

Regardless of the settings of these registry entries, query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are from an authoritative DNS server.

The registry key entry described here does not exist by default and must be created and configured according to this procedure.



Caution

o In this procedure you will be editing the registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

2. Type:

dnscmdServerName/Config/DisableNSRecordsAutoCreation 0x1

Value Description

of 162


ServerName

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).


/DisableNSRecordsAutoCreation Determines the local DNS server configuration for registering NS resource records for authoritative zones.

0x1

Specifies that the DNS server specified in ServerName should not add NS resource records for authoritative zones.

To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.

Notes




This procedure restricts NS resource records registered for Active Directory domain controllers only.


dnscmd /config /?

The DWORD value is a local DNS server setting and applies to authoritative DNS zones hosted on this DNS server.

Regardless of the settings above, query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers.

To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone, you may assign a value of 0x0 or enter no value (default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.

of 162

If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted.

Regardless of a NS resource record registration setting, query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are authoritative.

The registry key entries described here do not exist by default and must be created and configured using this procedure.

To allow NS resource record creation for specific domain controllers


Important

o This procedure applies to domain controller name server (NS) resource records in Active Directory-integrated DNS zones that are hosted on DNS servers configured to not add these resource records for their authoritative zones. For more information, see Related Topics.

2. Type:

dnscmdServerName /Config ZoneName /AllowNSRecordsAutoCreation IpAddresses...

Value Description

dnscmd Specifies the name of the command-line program.

ServerName

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/Config Required. Specifies the configuration command.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone.

of 162

/AllowNSRecordsAutoCreation

Required. Specifies that domain controllers entered for Value will add their names to NS resource records for the zone specified in ZoneName. NS resource records that were previously registered for this zone are not affected. Therefore, you must remove them manually if you do not want them.

IpAddresses...

Required. Specifies the IP addresses of the domain controllers that will add their names in NS resource records for the zone specified in ZoneName. Type a space-separated list of the IP addresses of the DNS servers. For example, 10.0.0.0 172.16.0.0 192.168.0.0.

Additional considerations

To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.




dnscmd /Config /?

If any domain controllers in the specified zone are not listed for IpAddresses..., their names will be deleted from the NS resource records for the zone specified in ZoneName.

To specify that all domain controllers are allowed to add their names to NS resource records for the zone, or to clear the list of allowed DNS server IP addresses, type the command and omit IpAddresses...:

dnscmdServerName/ConfigZoneName/AllowNSRecordsAutoCreation

Regardless of the settings above, query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers.

To restrict the DNS resource records updated by the Net Logon service

of 162





Caution



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. Add the following multi-string value (REG_MULTI_SZ) value:

DnsAvoidRegisterRecords

4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The list of data include:

Data Value

Resource

Record Type

DNS Resource Record

LdapIpAddress A <DnsDomainName>Ldap SRV _ldap._tcp.<DnsDomainName>LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName>Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName>Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName>GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>

DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

GcIpAddress A gc._msdcs.<DnsForestName>DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName>Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName>

KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName>

DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName>Rfc1510KdcAtSit SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName>

of 162

eGenericGc SRV _gc._tcp.<DnsForestName>GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName>Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName>Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName>Rfc1510UdpKpwd

SRV _kpasswd._udp.<DnsDomainName>

Important

This procedure restricts DNS resource records registered by the Net Logon service for Active Directory domain controllers only.

Notes



Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, then appropriate DNS updates may take place with a short delay; however, the delay is no later than 15 minutes after the Net Logon service starts.

Optimize servers

Enable or disable fast transfer format during zone transfers

Prevent loading of a zone when bad data is found

Disable round-robin rotation for multihomed names

Disable local subnet prioritization for multihomed names

Restore server default preferences

Disable recursion on the DNS server

Update root hints on the DNS server

Secure server cache against names pollution

Clear the server names cache

of 162










Modify DNSSEC configuration

Modify EDNS0 configuration

Modify UDP message size

To enable or disable fast transfer format during zone transfers




You can enable or disable fast transfer format during zone transfers using the Windows interface.

To enable or disable fast transfer format during zone transfers using the Windows interface

1. Open DNS.2. In the console tree, click the applicable DNS server.

Where?




5. Do one of the following:

o To enable the fast transfer format (the default), in the Server options list, clear the BIND secondaries check box, and then click OK.

o To disable the fast transfer format, in the Server options list, select the BIND secondaries check box, and then click OK.

Notes



of 162






The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations, and it is enabled by default. Zone transfers between Windows-based DNS servers always use the fast transfer format.

DNS servers running versions of the Berkeley Internet Name Domain (BIND) server implementation prior to version 4.9.4 do not support the fast transfer format. You should enable the Bind secondaries option if you are transferring zones to BIND servers running versions earlier than 4.9.4.


You can enable or disable fast transfer format during zone transfers using a command line.

The procedure title

1. Open Command Prompt.2. Type:

dnscmd ServerName /Config /BindSecondaries {1|0}

Value Description


ServerName Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)


/BindSecondaries Specifies use of fast transfer format used by legacy Berkeley Internet Name Domain (BIND) servers.

{1|0} To disable fast transfer format when transferring a zone to legacy BIND DNS servers, type 1 (on). To enable fast transfer format, type 0 (off).

Notes



of 162



dnscmdServerName/Config/help

The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations, and it is enabled by default. Zone transfers between Windows-based DNS servers always use the fast transfer format.

DNS servers running versions of the BIND server implementation earlier than version 4.9.4 do not support the fast transfer format. You should set BindSecondaries to 1 if you are transferring zones to BIND servers running versions earlier than 4.9.4.

To prevent loading of a zone when bad data is found

1. Open DNS.


Where?




5. In Server options, select the Fail on load if bad zone data check box, and then click OK.

Notes



To disable round-robin rotation for multihomed names



of 162




1. Open DNS.


Where?




5. In Server options, clear the Enable round robin check box, and then click OK.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure..




2. Type:

dnscmdServerName/Config/RoundRobin {1|0}

Value Description


ServerName Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).


/RoundRobin Configures round robin rotation.

{1|0} To enable round robin, type 1 (on). To disable round robin, type 0 (off).

of 162

Notes





dnscmd/Config/help

To disable local subnet prioritization for multihomed names




1. Open DNS.


Where?




5. In Server options, clear the Enable netmask ordering check box, and then click OK.

of 162



Notes





2. Type:

dnscmdServerName/Config/LocalNetPriority {1|0}

Value Description


ServerName Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).


/LocalNetPriority Configures netmask ordering.

{1|0} To enable netmask ordering, type 1 (on). To disable netmask ordering, type 0 (off).

Notes




of 162


dnscmd/Config/help

To restore server default preferences

1. Open DNS.

2. In the console tree, right-click the applicable DNS server, and then click Properties.


4. Click Reset to Default, and then click OK.

Notes



Clicking Reset to Default configures the DNS server with the initial configuration it had following installation. These setting are displayed in the table below.

Property Setting Disable recursion OffBIND secondaries OnFail on load if bad zone data OffEnable round robin OnEnable netmask ordering OnSecure cache against pollution OnName checking Multibyte (UTF8)Load zone data on startup From Active Directory and registryEnable automatic scavenging of stale records Off

To disable recursion on the DNS server



of 162




1. Open DNS.



4. In Server options, select the Disable recursion check box, and then click OK.

Notes



If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.



2. Type:

dnscmdServerName/Config/NoRecursion {1|0}

Value Description




/NoRecursion Required. Specifies the command to disable recursion.

{1|0} Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.

Notes

of 162





dnscmd/Config/help

If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

To update root hints on the DNS server

1. Open DNS.


Where?



4. Click the Root Hints tab.

5. Modify server root hints as follows:

o To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

o To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

o To remove a root server from the list, select it in the list, and then click Remove.

o To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

Notes

of 162



To secure server cache against names pollution

1. Open DNS.


Where?




5. In Server options, select the Secure cache against pollution check box, and then click OK.

Notes



The Secure cache against pollution option is enabled by default.

To clear the server names cache




1. Open DNS.

of 162




Where?


3. On the Action menu, click Clear Cache.

Notes





2. Type the following command and then press ENTER:

Dnscmd ServerName /clearcache

Value Description



/clearcache Required. Specifies the command to clear the DNS server cache.

Notes



of 162


To modify DNSSEC configuration


Caution


2. In Registry Editor, navigate to the following registry subkey:


3. Add the following DWORD entry:

EnableDnsSec


o To exclude DNSSEC resource records in query responses other than responses to requests for SIG, KEY or NXT resource records, assign a value of 0x0. Appropriate resource records will be included in responses to requests for SIG, KEY, or NXT resource records only.

o To include the DNSSEC resource records in all query responses (according to RFC 2535), assign a value of 0x2.

o To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671), assign a value of 0x1 or do not create the value at all. The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry.

Notes



The value of the registry entry EnableDnsSec determines whether the DNS server will include or exclude DNSSEC resource records when it receives queries.

of 162

To modify EDNS0 configuration





Caution


2. In Registry Editor, navigate to the following registry subkey:



EDNSCacheTimeout

4. To change the cache timeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days).

5. In the same registry subkey (Parameters), add the following DWORD entry:

EnableEDNSProbes

6. To configure the DNS server to include an OPT resource record only in response to EDNS0 requests containing OPT resource records, type 0x1 (DWORD).

7. Restart DNS server.

Notes



The value of the registry key EDNSCacheTimeout determines how long the DNS server will keep information about the EDNS versions supported by other DNS servers that have responded to a query with a OPT resource record.

of 162




Open Command Prompt.

Type one of the following:

o dnscmdServerName/Config/EDNSCacheTimeoutValue

o dnscmdServerName/Config/EnableEDNSProbesValue

Value Description



/Config Required. Specifies the command to configure the DNS server.

/EDNSCacheTimeout Required. Specifies the length of time the DNS server remembers the EDNS parameters remote servers report.

/EnableEdnsProbes Required. Specifies whether or not the DNS server probes other DNS servers to determine if they support EDNS.

Value

Required. For /EDNSCacheTimeout, type a value in between 3600 (1 hour) and 15724800 (182 days). For /EnableEDNSProbes, type 1 to configure the DNS server to probe other DNS servers and determine if they support EDNS. Type 0 to configure the DNS server to not probe remote servers for EDNS support. If you type 0, the DNS server will continue to use EDNS if other servers request it.

Notes




of 162


dnscmd /Config help

For information about the current registry setting, type one of the following:

o dnscmd /Info /EDNSCacheTimeout

o dnscmd /Info /EnableEDNSProbes

To modify UDP message size


Caution





MaximumUdpPacketSize

4. Type a maximum UDP packet size value in bytes.

The default value is 1280 bytes. The value must be between 512 and 16384 in decimal format (200 and 4000 in hexadecimal format).

5. Restart DNS server.

Caution

When configuring the UDP packet size to be larger than 512 bytes, remember UDP packets must travel through devices other than UDP hosts, such as routers, and these devices may not support UDP packets larger than 512 bytes. It is recommended that you establish the maximum UDP packet length support for all devices, and the path's MTU, if possible, and configure your UDP hosts according to this maximum.

Notes

of 162



For information on discovering the maximum transmission unit (MTU) of an arbitrary Internet path, see Request for Comment (RFC) 1191, "Path MTU Discovery."

Monitor servers

Select and enable debug logging options on the DNS server

Disable debug logging options on the DNS server

Test a simple query on the DNS server

Test a recursive query on the DNS server

Enable automatic query testing on the DNS server

View the DNS server system event log

View a DNS server debug log file

Verify DNS server responsiveness using the nslookup command

To select and enable debug logging options on the DNS server

1. Open DNS.


3. Click the Debug Logging tab.

4. Select Log packets for debugging, and then select the events that you want the DNS server to record for debug logging.

Notes


of 162










To set the debug logging options, you must first select Log packets for debugging.

To get useful debug logging output you need to select a Packet direction, a Transport protocol and at least one more option.

In addition to selecting events for the DNS debug log file, you can specify the file name, location, and maximum file size for the file.

Using debug logging options slows DNS server performance. For this reason, all debug logging options are disabled by default.

To disable debug logging options on the DNS server

1. Open DNS.


Where?



4. Click the Debug Logging tab.

5. Clear the Log packets for debugging check box, and then click OK.

Notes



To test a simple query on the DNS server

1. Open DNS.


Where?

of 162



4. Click the Monitoring tab.

5. Select the A simple query against this DNS server check box.

6. Click Test Now.

Notes



Results of the query test appear in Test results.

To test a recursive query on the DNS server

1. Open DNS.


Where?




5. Select the A recursive query to other DNS servers check box.

6. Click Test Now.

Notes


of 162


Results of the query test appear in the Test results list box.

To enable automatic query testing on the DNS server

1. Open DNS.


Where?




5. Select the type of testing to be used during automatic query testing. You can select one of both of the following:

o A simple query against this DNS server

o A recursive query to other DNS servers

6. Select the Perform automatic testing at the following interval check box.

7. Set the Test interval to be used.

The query tests that you select are performed at regular intervals based on the value of the interval you specify. The default polling interval is 1 minute.

Notes



Results of automated query tests appear in Test results and are updated after each test interval.

To view the DNS server system event log

of 162

1. Open DNS.

2. In the console tree, click DNS Events.

Where?

o DNS/applicable DNS server/Event Viewer/DNS Events

Notes



If the DNS server for which you want to view the log is located on another computer, in the console tree, click DNS, and then on the Action menu, click Connect to DNS Server. Click The following computer, and then specify the name or IP address of the remote computer.

To view a DNS server debug log file

1. Stop the DNS Server service.

2. Open WordPad.

3. On the File menu, click Open.

4. In Open, for File name, specify the path to the DNS server debug log file.

By default, if the applicable DNS server is running locally, the file and path are as follows:

systemroot\System32\Dns\Dns.log

5. After you specify the correct path and file, click Open to view the log file.

Notes


of 162

To open WordPad, click Start, point to All programs, point to Accessories, and then click WordPad.

To stop the DNS Server service, see Related Topics.

The location of the DNS.log file is managed using the DNS console. To specify the name and location of the DNS.log file, see Related Topics.

By default, the Dns.log file is empty if you have not previously enabled debug logging options.

Debug logging slows DNS server performance and should only be enabled for temporary use.

To verify DNS server responsiveness using the nslookup command


2. Type:

nslookupserver_ip_address127.0.0.1

3. If the server is responding, the name "localhost" is returned.

If the server does not respond, continue troubleshooting the DNS server. For more information, see Related Topics.


server_ip_address

The IP address of the DNS server at which you are verifying its responsiveness.

For example, if the IP address of your DNS server is 10.0.0.1, you would type:

nslookup 10.0.0.1 127.0.0.1

Notes




of 162

Add and remove zones

Add a forward lookup zone

Add a reverse lookup zone

Add a stub zone

Delete a zone

Pause a zone

Start a zone

To add a forward lookup zone




1. Open DNS.

2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard.

3. Follow the instructions to create a new primary, secondary, or stub zone.

Notes





2. Type:

dnscmdServerName/ZoneAddZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]

of 162









Value Description

dsncmd Specifies the name of the command-line tool.

ServerName

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)



/Primary|/DsPrimary|/Secondary|/Stub|/DsStubRequired. Specifies the type of zone. /DsPrimary and /DsStub specify an Active Directory-integrated zone type.

/file Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type.

FileName Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type.

/load

Loads an existing file for the zone. Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter does not apply to /DsPrimary.

/a Adds an administrator e-mail address for the zone.

AdminEmail Specifies the administrator email name for the zone.

/DP Adds the zone to an application directory partition. You may also use one of the following:

/DP /domain For domain directory partition (replicates to all DNS

of 162

servers in the domain).

/DP /forest For forest directory partition (replicates to all DNS server in the forest).

/DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains using legacy Windows 2000 Server domain controllers.

FQDN Specifies the fully qualified domain name of the directory partition.

Notes





dnscmd/ZoneAdd/help

To add a reverse lookup zone




1. Open DNS.


3. Follow the instructions to create a new reverse lookup zone.

of 162



Notes





2. Type:

dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]

Value Description


ServerName Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)


ZoneName Required. Specifies the fully qualified domain name (FQDN) of the in-addr.arpa domain for the zone. For example, 20.1.168.192.in-addr.arpa..

/Primary|/DsPrimary Required. Specifies the type of zone. To specify an Active Directory-integrated zone, type /DsPrimary.

/file Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type.

FileName Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type.

/load Loads an existing file for the zone. Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter does not apply to /DsPrimary.

of 162

/a Adds an administrator e-mail address for the zone.

AdminEmail Specifies the administrator e-mail name for the zone.

/DP

Adds the zone to an application directory partition. You may also use one of the following:

/DP /domain For domain directory partition (replicates to all DNS servers in the domain).


/DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains using legacy Windows 2000 Server domain controllers.


Notes





dnscmd /ZoneAdd /help

To add a stub zone




1. Open DNS.


of 162



3. Follow the instructions to create a new stub zone.

Notes



The stub zone cannot be hosted on a DNS server that is authoritative for the same zone.

If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method), you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records, rather than have the DNS server use the master servers list stored in Active Directory. If you want to use a local master servers list, you will need the IP addresses of the local master servers.

If you want the DNS server hosting a stub zone to use a local list of master servers, see Related Topics.



2. Type:

dnscmdServerName /ZoneAdd ZoneName {/Stub|/DsStub} MasterIPaddress... [/file FileName] [/load] [/DP FQDN]

ValueDescription





/Stub|/DsStubRequired. Specifies the type of zone. To specify an Active Directory-integrated stub zone, type /DsStub.

MasterIPaddress... Required. Specifies one or more IP addresses for the master servers of the stub zone, from which it copies zone data.

of 162

/file Adds a file for the new zone.

FileName Specifies the name of the zone file.

/load Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically.

/DP Adds the zone to an application directory partition. You may also use one of the following:

/DP /domain For domain directory partition (replicates to all DNS servers in the domain).


/DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains using legacy domain controllers running Windows 2000 Server.


Notes





dnscmd/ZoneAdd /help

The stub zone cannot be hosted on a DNS server that is authoritative for the same zone.

If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method), you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records, rather than have the DNS server use the master servers list stored in Active Directory. If you want to use a local master servers list, you will need the IP addresses of the local master servers.

If you want the DNS server hosting a stub zone to use a local list of master servers, see Related Topics.

To delete a zone


of 162




1. Open DNS.

2. In the console tree, click the applicable zone.

Where?

o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone

3. On the Action menu, click Delete.

4. When asked to confirm that you want to delete the zone, click OK.

Caution

Deleting an Active Directory-integrated zone effectively deletes the zone and eliminates its use at all other DNS servers using the same directory store of zone data.

Notes



This procedure is most often used to delete a secondary copy of a zone, although it can also be used to delete a primary zone.

Deleting a standard primary zone is usually unnecessary, unless you are redesigning your DNS namespace and the zone is no longer needed or used. In most cases, you can change the zone type if you only want to modify the zone. For more information, see Related Topics.



2. Type:

dnscmdServerName/ZoneDeleteZoneName [/DsDel] [/f]

Value Description

of 162




/ZoneDelete Required. Specifies the command to delete the zone specified by ZoneName.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone you are deleting.

/DsDel Deletes a the zone from Active Directory.

/f Performs the command without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource record.

Notes





dnscmd /ZoneDelete /help

To pause a zone




1. Open DNS.


Where?

of 162





4. On the General tab, click Pause, and then click OK.

Notes



By default, zones are started when created or loaded at the server. Once you use this procedure to pause a zone, you must restart the zone before it is available for servicing clients or zone updates.



2. Type:

dnscmdServerName/ZonePauseZoneName

Value Description



/ZonePause Required. Pauses the zone.


Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is

of 162

joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.



To start a zone




1. Open DNS.


Where?



4. On the General tab, click Start, and then click OK.

Notes



By default, zones are started when created or loaded at the server. Only zones that have previously been paused need to be restarted.



of 162



2. Type:

dnscmdServerName/ZoneResumeZoneName

Value Description



/ZoneResume Required. Resumes the hosting of the zone by the DNS server.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone resuming operation.

Notes



By default, zones are started when created or loaded at the server. Only zones that have previously been paused need to be restarted.

Configure zone properties

Change the zone type

Change a zone file name

Change zone replication scope

Modify the start of authority (SOA) record for a zone

Modify zone transfer settings

Create and manage a notify list for a zone

Create a zone delegation

Verify a zone delegation using the nslookup command

Configure a stub zone for local master servers

of 162










Specify other DNS servers as authoritative for a zone

Update the master server for a secondary zone

Enable DNS to use WINS resolution

Verify WINS as the source for answering a DNS query

To change the zone type



To change the zone type using the Windows interface

1. Open DNS.2. In the console tree, right-click the applicable zone, and then click Properties.

3. On the General tab, note the current zone type, and then click Change.

4. In Change Zone Type, select a zone type other than the current one, and then click OK.




You can select from Primary zone, Secondary zone, or Stub zone. When selecting the secondary or stub zone types, you must specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone.

If the DNS server computer is operating as a domain controller, the option to change the zone type to Active Directory-integrated is available. This option is not otherwise available. When this zone type is selected for use, zone data is stored and replicated as part of the Active Directory database.

of 162







Note

You cannot change the zone type (primary, secondary, or stub) and the method for storing the zone at the same time. You must perform the two operations separately.

Changing a zone from secondary to primary type can affect other zone activities, including management of dynamic updates and zone transfers and the use of DNS notify lists to notify other servers about changes in the zone. For more information, see Related Topics.

Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones.

Changing DNS zone type or storage can be time-consuming for large zones.

To change the zone type using a command line

1. Open Command Prompt.2. Type the following command, and then press ENTER:

dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress...] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN}

Value Description


ServerName

Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)

ZoneName Required. Specifies the fully qualified domain name (FQDN) of zone.

Property Required. One of the following zone types:

/Primary

Standard primary zone. The /fileFileName option is required.

/DsPrimary

Active Directory Domain Services (AD DS)–integrated primary zone. If the zone is not already a primary

of 162

zone, you must convert it to a primary zone (using /Primary) before you use this option to integrate the zone with AD DS.

/Secondary

Secondary zone. You must specify at least one MasterIPaddress.

/Stub

Stub zone. You must specify at least one MasterIPaddress. If the zone is an AD DS–integrated primary zone, you must use /DsStub to convert it to an AD DS–integrated stub zone before using this option.

/DsStub

Active Directory-integrated stub zone. You must specify at least one MasterIPaddress. If the zone is not already a stub zone, you must convert it to a stub zone (using /Stub) before using this option to integrate the zone with AD DS.

/file FileName Required for /Primary. Specifies the name of a file for the new zone. This parameter is not valid for the /DsPrimary zone type.

MasterIPaddress... Required for /Secondary, /Stub and /DsStub. Specifies one or more IP addresses for the master servers of the secondary or stub zone, from which it copies zone data.

/OverWrite_Mem|/OverWrite_Ds|

/DirectoryPartition FQDN

/OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory. /OverWrite_Ds overwrites Active Directory data with data in DNS. /DirectoryPartition stores the new zone in the application directory partition specified by FQDN, such as DomainDnsZones.corp.example.microsoft.com.

of 162




This procedure requires the Dnscmd Windows support tool.


dnscmd/ZoneResetType/help

You can select from primary, secondary or stub zone. When selecting the secondary or stub zone type, you need to specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone.

If the DNS server computer is operating as a domain controller, the option to change the zone type to Active Directory-integrated is available. This option is not otherwise available. When this zone type is selected for use, zone data is stored and replicated as part of the Active Directory database.

Changing a zone from secondary to primary type can affect other zone activities, including management of dynamic updates and zone transfers, and the use of DNS notify lists to notify other servers about changes in the zone.

Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones.

To change a zone file name

1. Open DNS.


Where?



of 162

4. On the General tab, in the Zone file name text box, type the new file name for this zone.

5. Click OK when you have finished entering the new zone file name.

Caution

If the zone file name is changed, be sure to update Zone file name on other DNS servers that maintain this zone. Otherwise, subsequent zone transfers and updates might fail. This can occur in the following situations:

o The zone type is primary on this server.

o The zone type is secondary on this server and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of this zone.

Notes



The name of the zone file changes, not the name of the zone. You can use Windows Explorer to view or verify the new zone file name.

The zone file name is not used for Active Directory-integrated zones because these zones store zone data in the Active Directory database and not a text file on the DNS server computer.

To change zone replication scope




1. Open DNS.

2. In the console tree, right-click the applicable zone, and then click Properties.

3. On the General tab, note the current zone replication type, and then click Change.

4. Select a replication scope for the zone. of 162



Notes



Only Active Directory-integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope.




2. Type:

dnscmdServerName/ZoneChangeDirectoryPartitionZoneNameNewPartitionName

Value Description


ServerName

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)

/ZoneChangeDirectoryPartition Required. Changes a zone's replication scope.


NewPartitionName Required. The FQDN of the DNS application directory partition where the zone will be stored.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is

of 162



joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.




dnscmd /ZoneChangeDirectoryPartition /?

Only Active Directory-integrated primary forward lookup zones and Active Directory-integrated stub zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope.


To modify the start of authority (SOA) record for a zone




1. Open DNS.


3. Click the Start of Authority (SOA) tab.

4. As needed, modify properties for the start of authority (SOA) record.

Notes



The settings applied for the start of authority (SOA) record affect how zone transfers are made between servers. For more information, see Related Topics.

of 162







2. Type:

dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL

Value Description



/RecordAdd Required. Adds or modifies a resource record.


NodeName Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node.

/Aging Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS database unless it is manually updated or removed.

/OpenAcl Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.

Ttl Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in SOA resource record).

SOA Required. Specifies the type of resource record you are modifying.

PrimSvr Required. Specifies the FQDN name of the server that is the primary source for information about the zone. For example, nameserver.place.example.microsoft.com.

Admin Required. Specifies the name of the DNS administrator for the zone. For example, postmaster.nameserver.place.example.microsoft.com.

of 162

Serial#\ Required. Specifies the version information for the zone.

Refresh Required. Specifies the refresh interval for the zone. The standard setting is 3600 (one hour).

Retry Required. Specifies the retry interval for the zone. The standard setting is 600 (ten minutes).

Expire Required. Specifies the expire interval for the zone. The standard setting is 86400 (one day).

MinTTL

Required. Specifies the minimum Time to Live (TTL) value. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. The standard setting is 3600 (one hour).

Notes





dnscmd /RecordAdd /help

To modify any specific SOA resource record's values using dnscmd, you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).

To modify DNS zone transfer settings




1. Open DNS.

2. Right-click a DNS zone, and then click Properties.

of 162



3. On the Zone Transfers tab, do one of the following:

o To disable zone transfers, clear the Allow zone transfers check box.

o To allow zone transfers, select the Allow zone transfers check box.

4. If you allowed zone transfers, do one of the following:

o To allow zone transfers to any server, click To any server.

o To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

o To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

Notes



To improve the security of your DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.



2. Type:

dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList [SecondaryIPAddress...]}

Value Description



of 162

ZoneName Required. Specifies the fully qualified domain name (FQDN) of zone.

/NoXfr Disables zone transfers for the zone.

/NonSecure Permits zone transfers to any DNS server.

/SecureNs Permits zone transfers only to DNS servers listed in the zone using name server (NS) resource records.

/SecureList Permits zone transfers only to DNS servers specified by SecondaryIPAddress.

SecondaryIPAddress Required, if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.

Notes





dnscmd /ZoneResetSecondaries /?

To improve the security of your DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the NS resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.

To create and manage a notify list for a zone

1. Open DNS.


Where?


of 162


4. Click the Zone Transfers tab.

5. Click Notify.

6. Verify that the Automatically notify check box is checked.

7. Select the method to be used for creating a list for notifying other DNS servers when changes to the zone occur. Your options are:

o Use the default, Servers listed on the Name Servers tab, to permit only those servers that appear by IP address on the Name Servers tab to be included in the notify list.

o Select The following servers if you want to specify a different notify list to be used instead.

8. If you selected The following servers in the previous step, add or remove server IP addresses to form the notify list as needed:

o To add a server to the notify list, type its IP address in the IP address field and click Add.

o To remove a server from the notify list, click the server IP address in the list box and click Remove.

Notes



Changes to the notify list properties are only available on primary zones. For secondary zones, these properties are read-only. DNS Notify is an RFC-compliant extension of the DNS standard defined in RFC 1996, "A Mechanism for Prompt Notification of Zone Changes."

By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone.

of 162

To create a zone delegation




1. Open the DNS console.

2. In the console tree, right-click the applicable subdomain, and then click New Delegation.

3. Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain.

Notes



All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing delegation as described here. As necessary, use the DNS console to first add domains to the zone before completing this procedure. For more information, see Related Topics.



2. Type:

dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}

Value Description


of 162




/RecordAdd Required. Specifies the command to add a resource record.



/Aging If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.


Ttl Specifies the Time-To-Live (TTL) setting for the resource record. (The default TTL is defined in SOA resource record).

NS Required. Specifies that you are adding a name server (NS) resource record to the zone specified in ZoneName.

HostName|FQDN Required. Specifies the host name or FQDN of the new authoritative server.

See the following examples:

dnscmd dnssvr1.contoso.com /recordadd test A 10.0.0.5

dnscmd /recordadd test.contoso.com test MX 10 mailserver.test.contoso.com

For more information, see Dnscmd Syntax.

Notes



of 162





To verify a zone delegation using the nslookup command


2. Type:

nslookupRootServerIpAddress

3. Then type:

nslookup

4. At the next prompt, type:

set norecurse

5. At the next prompt, type:

set q=NS

6. Type the fully qualified domain name (FQDN) for the failed name.

Use the trailing period (.) when entering the name. If zone delegations are set correctly, a list of name server (NS) resource records for delegated servers should be returned in the response.

7. If the NS query response contains no names or IP addresses for delegated servers, type q=ns and query again using the FQDN for the parent zone of the failed name.

For example, if the failed name you used in the previous step was example.microsoft.com, query for microsoft.com.

8. If the response contains NS resource records, but no host (A) resource records, type set recurse and query individually for any of the A resource records of servers listed in the NS resource records.

of 162

If, for each NS resource record you encounter in a zone, you do not find at least one valid IP address in an A resource record, you have a broken delegation.

9. Either fix the broken delegation or retry the delegation test described in the previous step using a different IP address.

If more than one A resource record or IP address is found, use it to repeat the delegation test described in the previous step. To fix a delegation, add or update an A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone.

Value Description nslookup The name of the command-line tool.root_server_ip_address The IP address of a valid root server for your network.

set norecursion A command to instruct the root server to not perform recursion on your query.

set q=NS The command to send the query for NS resource records to the root server.

Notes





To configure a stub zone to use local master servers




1. Open DNS.

2. In the console tree, right-click the stub zone, and then click Properties.

of 162



3. On the General tab, under IP address, modify the list to display the IP addresses of the local master servers that you want the DNS server to use when loading and updating the stub zone.

Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server.

4. Select the Use the list above as a local list of masters check box, and then click OK.

Notes



If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is deleted.

When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in Active Directory.

The DNS server will keep the master servers list from Active Directory stored in memory.



2. Type:

dnscmdServerName/ZoneResetMastersZoneName [/Local] [MasterIPaddress...]

Value Description




/Local Configures the local master list for Active Directory-integrated zones.

of 162




MasterIPaddress...

List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers hosting other secondary copies for the zone. To clear the local list of masters, type the command without entering any IP addresses. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server.

Notes





dnscmd/ZoneResetMasters/help

If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is deleted.

When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in Active Directory.

The DNS server will keep the master servers list from Active Directory stored in memory.

To specify other DNS servers as authoritative for a zone




1. Open DNS.


3. Click the Name Servers tab.

4. Click Add.

of 162






5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.

Notes



To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list.

DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data.

DNS servers automatically add and perform initial configuration of the NS resource record for each new primary zone added to the server.



2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}

Value Description



/RecordAdd Required. Specifies the command to add a resource record.


NodeName Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to the

of 162

ZoneName or @, which specifies the zone's root node.

/Aging If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.



NS Required. Specifies that you are adding a name server (NS) resource record to the zone specified in ZoneName.

HostName|FQDN Required. Specifies the host name or FQDN of the new authoritative server.

Notes





dnscmd/RecordAdd/help

DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data.

DNS servers automatically add and perform initial configuration of the NS resource record for each new primary type added to the server.

To update the master server for a secondary zone


of 162




1. Open DNS.

2. In the console tree, right-click the applicable secondary zone, and then click Properties.

3. On the General tab, in IP address, specify the IP address for a new master server, and then click Add to update the list.

Notes





2. Type:

dnscmdServerName/ZoneResetMastersZoneName [/Local] MasterIPaddress...

Value Description



/ZoneResetMasters Required. Updates the master servers for a secondary zone.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone you are updating.

/Local Specifies the local master list for Active Directory-integrated zones.

MasterIPaddress... Required. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. If you do

of 162


not specify ServerIPs, you are requesting the DNS server to reset the value to an empty list. The request may be denied because a zone must always have at least one master server. MasterIPaddress... is required to clear the local master list for a zone.

Notes





dnscmd /ZoneResetMasters /help

To enable DNS to use WINS resolution

1. Open DNS.

2. In the console tree, right-click the applicable zone, then click Properties.


o If the applicable zone is a forward lookup zone, on the WINS tab, select the Use WINS forward lookup check box. In IP address, type the IP address of a WINS server to be used for resolution of names not found in DNS, and then click Add.

o If the applicable zone is a reverse lookup zone, on the WINS-R tab, select the Use WINS-R lookup check box. In Domain to append to returned name, type a name.

4. Select the Do not replicate this record check box for this WINS record, if applicable.

If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records, click this check box. This prevents these records from being replicated to these other servers during zone transfers. If this zone will be used in performing zone transfers to BIND servers, this is a critical option as BIND will not recognize WINS records.

Notes

of 162



When this option is used, specified WINS servers configured in this procedure are used for final referral of names not found in the applicable zone.

Optionally, click Advanced to adjust advanced WINS lookup parameters.

To verify WINS as the source for answering a DNS query


2. Type:

nslookup

3. After the previous command completes, at the nslookup ("") prompt type:

set debug

4. Next, either type:

set querytype=a

if you are testing for a WINS forward lookup, or:

set querytype=ptr

if you are testing for a WINS-R reverse lookup.

Respectively, these two commands can be used to set the query type to filter either by host (A) or pointer (PTR) resource records as appropriate for researching either a forward or reverse lookup.

5. Based on whether you are verifying possible WINS sourcing for either a forward or reverse lookup, type the appropriate fully qualified domain name (FQDN).

For example, if the forward lookup you are tracing is for a domain name host-a.example.microsoft.com, type:

host-a.example.microsoft.com.

of 162

If the reverse lookup you are tracing is for an IP address 10.0.0.1, type:

1.0.0.10.in-addr.arpa.

6. In the response, note whether the server answered authoritatively or non-authoritatively, and note the Time-To-Live (TTL) value.

7. If the server answered authoritatively, repeat the same query you performed in step 4.

8. In the response, note whether the TTL value decreased with the second query answer or if it remained consistent with the TTL value specified in the first query answer.

If the TTL value decreased for an authoritatively answered query, the source of the query answer is a WINS server.

9. To leave debug mode and return to the command prompt, type exit.


set debug

Enables the nslookup command to operate in debug mode, providing extended information in the command output.

This mode is required to view query response information about whether the source for a query answer is:

authoritative (from a DNS zone or WINS server database)

non-authoritative (cached data from previous queries made by the DNS server or loaded from root hints)

set querytype

Changes the type of information query. More information about types can be found in Request For Comment (RFC) 1035.

Notes




nslookup, press Enter and then type help of 162

Normally, when a DNS server answers a query from its authoritative zone data, it uses the set minimum or default TTL for the zone or the record-specific TTL value (if one is configured). In so doing, TTLs are decreased in answers the server returns if based on non-authoritative data, such as a cached record at the server.

WINS lookups present an exceptional case, where an answer received back from a WINS server is cached by the DNS server but is also considered to be authoritative data. In this case, the WINS sourced data is returned to clients as authoritative but ages while in the DNS server names cache, causing the TTL used by the server to decrease over time.

Manage zones

Allow dynamic updates

Allow only secure dynamic updates

Initiate a zone transfer at a secondary server

Reload or transfer a stub zone

Adjust the refresh interval for a zone

Adjust the retry interval for a zone

Adjust the expire interval for a zone

Modify security for a directory-integrated zone

Allow dynamic updates

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To allow dynamic updates




1. Open DNS.


of 162











3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated.

4. In Dynamic Updates, click Nonsecure and secure.

Notes



Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATES)."



2. Type:

dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}

Value Description




ZoneName|..AllZonesRequired. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones hosted on the specified DNS server to allow dynamic updates, type ..AllZones.

/AllowUpdate Required. Specifies the allow update command.

1|0 Configures dynamic update. To allow dynamic updates, enter a value of 1. To not allow dynamic updates, enter a value of 0.

Notes

of 162





dnscmd /Config /help

Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATES)."

To allow only secure dynamic updates




1. Open DNS.

2. In the console tree, right-click the applicable zone and click Properties.

3. On the General tab, verify that the zone type is Active Directory-integrated.

4. In Dynamic Updates, click secure only.

Notes



Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory integrate the zone prior to securing it for DNS dynamic updates.

Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)."

of 162







2. Type:

dnscmdServerName/Config {ZoneName|..AllZones} /AllowUpdate 2

Value Description





/AllowUpdate Required. Specifies the allow update command.

2 Required. Configures server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only.

Notes




of 162





Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)."



To initiate a zone transfer at a secondary server




1. Open DNS.

2. In the console tree, right-click the applicable zone and click Transfer from master.

Notes



This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. If the SOA resource records are synchronized, then there is no zone transfer. If the SOA resource records are not synchronized, then there is a zone transfer.




2. Type:

dnscmdServerName/ZoneRefreshZoneName

of 162





Value Description



/ZoneRefresh Required. Updates the secondary zone.

ZoneName Required. Specifies the name of the secondary zone to update.

Notes





dnscmd /ZoneRefresh /help

This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. If the SOA resource records are synchronized, then there is no zone transfer. If the SOA resource records are not synchronized, then there is a zone transfer.


To reload or transfer a stub zone



of 162




1. Open DNS.

2. In the console tree, right-click the applicable stub zone, and do one of the following:

o To reload the stub zone from storage, click Reload.

o To have the DNS server determine if the serial number in the stub zone's SOA resource record has expired and then perform a zone transfer from the stub zone's master server, click Transfer from Master.

o To perform a zone transfer from the stub zone's master server regardless of the serial number in the stub zone's SOA resource record, click Reload from Master.

Notes





2. Type:

dnscmdServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName

Value Description



/ZoneReload Reloads the stub zone.

/ZoneUpdateFromDs Reloads the stub zone from Active Directory.

/ZoneRefresh Refreshes the stub zone. The DNS server will determine if the serial number in the stub zone's SOA resource record has expired. If the

of 162

serial number has expired, the DNS server will perform a zone transfer from the stub zone's master server.

ZoneName Required. Specifies the name of the stub zone you want to reload or refresh.

Notes





dnscmd /ZoneReload /help or dnscmd /ZoneUpdateFromDs /help or dnscmd /ZoneRefresh /help.

There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. To perform this operation, use the Windows interface procedure.

To adjust the refresh interval for a zone




1. Open DNS.




5. In Refresh interval, click a time period in minutes, hours, or days, and type a number in the text box.

6. Click OK to save the adjusted interval.

Notes

of 162





By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.



2. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL

Value Description









of 162





Refresh Required. Specifies the refresh interval for the zone. The standard setting is 900 (15 minutes).



MinTTL

Required. Specifies the minimum Time-To-Live value. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. The standard setting is 3600 (one hour).

Notes







By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.

of 162

To adjust the retry interval for a zone




1. Open DNS.




5. In Retry interval, click an interval in minutes, hours, or days, and type a number in the text box.


Notes



By default, the retry interval for each zone is set at 10 minutes. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs.



2. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL

Value Description


ServerName Required. Specifies the DNS host name of the DNS server. You can also type the

of 162



IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)














MinTTL


of 162

Notes







By default, the retry interval for each zone is set at 10 minutes. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs.

To adjust the expire interval for a zone




1. Open DNS.




5. In Expires after, click an interval in either minutes, hours, or days, and then type a number in the text box.


Notes

of 162





By default, the expire interval for each zone is set to 1 day. The expire interval is used by other DNS servers configured to load and host the zone to determine when zone data expires if not renewed.



2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL

Value Description









of 162








MinTTL


Notes







To modify security for a directory-integrated zone

of 162

1. Open DNS.


Where?



4. On the General tab, verify that the zone type is Active Directory-integrated.

5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.

Notes

To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups and Using Run as.


Secure dynamic updates are only supported for zones stored in Active Directory.

The security settings determine who can administer the zone, but do not affect dynamic updates to the zone. To apply security settings for dynamic updates, see Related Topics.


Manage resource records

Add a host (A) resource record to a zone

Add a mail exchanger (MX) resource record to a zone

Add an alias (CNAME) resource record to a zone

Add a new domain to a zone of 162










Add a pointer (PTR) resource record to a reverse zone

Add a resource record to a zone

Modify an existing resource record in a zone

Delete a resource record from a zone

View unsupported resource records in a zone

Modify security for a resource record

To add a host (A) resource record to a zone




1. Open DNS.

2. In the console tree, right-click the applicable forward lookup zone and click New Host.

3. In the Name text box, type the DNS computer name for the new host.

4. In the IP address text box, type the IP address for the new host.

5. As an option, select the Create associated pointer (PTR) record check box to create an additional pointer record in a reverse zone for this host, based on the information you entered in Name and IP address.

6. Click Add Host to add the new host record to the zone.

Notes



PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted.



of 162









2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress

Value Description



/RecordAdd Required. Adds a new resource record.


NodeName Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node.

/Aging Specifies that this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.



A Required. Specifies the resource record type of the record you are adding.

IPAddress Required. The IP address for the host.

Notes




of 162



PTR resource records are deleted automatically if the corresponding A resource record is deleted.

To add a mail exchanger (MX) resource record to a zone




1. Open DNS.

2. In the console tree, right-click the applicable forward lookup zone and click New Mail Exchanger.

3. In the Host or domain text box, type the domain name for which this record is to be used to deliver mail.

4. In the Mail server text box, type the DNS host computer name of the mail exchanger or mail server host that delivers mail for the specified domain name.

As an option, you can click Browse to view the DNS namespace for mail exchanger hosts in this domain that have host (A) records already defined.

5. Adjust the Mail server priority as needed for this zone.

6. Click OK to add the new record to the zone.

Notes





2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName

of 162



Value Description



/RecordAdd Adds a new resource record.

ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone in which you will add the new MX resource record.


/Aging

Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.


Ttl Specifies the Time-To-Live setting for the resource record.

MX Required. Specifies the MX resource record type for the record you are adding.

Preference Required. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect to the other mail exchange servers. Lower numbers are given greater preference.

MXServerName Required. Specifies the fully qualified domain name (FQDN) for a mail exchanger. The value entered here must resolve to a corresponding host (A) resource record in this zone.

Notes


of 162





To add an alias (CNAME) resource record to a zone




1. Open DNS.

2. In the console tree, right-click the applicable forward lookup zone, and then click New Alias.

3. In the Alias name text box, type the alias name.

4. In the Fully qualified domain name (FQDN) for target host text box, type the fully qualified domain name of the DNS host computer for which this alias is to be used.

As an option, you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined.


Notes





2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName

of 162



Value Description



/RecordAdd Required. Specifies the command to add a new resource record.

ZoneName Required. Specifies the name of the zone where this CNAME resource record will be added.


/Aging Specifies that this resource record is aged and scavenged. If this parameter is not used, the resource record remains in the DNS database unless it is manually updated or removed.



CNAME Required. Specifies the resource record type of the record you are adding.

HostName|DomainNameRequired. Specifies the FQDN of any valid DNS host or domain name in the namespace. For FQDN's, a trailing period (.) is used to fully qualify the name.

Notes




of 162



To add a new domain to a zone

1. Open DNS.


Where?


3. On the Action menu, click New Domain, and then type the name of the new domain without using periods.

4. Click OK to add the new domain to the zone.

Notes



To add a pointer (PTR) resource record to a reverse zone




1. Open DNS.

of 162



2. In the console tree, right-click the applicable reverse lookup zone.

3. On the Action menu, click New Pointer.

4. In the Host IP number text box, type the host IP address octet number.

5. In the Host name text box, type the fully qualified domain name for the DNS host computer for which this pointer record is to be used to provide reverse lookup (address-to-name resolution).

As an option, you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined.


Notes



When creating a new A resource record, there is an option to create an associated PTR resource record automatically. PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted.



2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName

ValueDescription





of 162


/Aging Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.



PTR Required. Specifies the resource record type.

HostName|DomainName Required. Specifies the FQDN of a resource record located in the DNS namespace. The host you specify is used as the data for answering reverse lookups based on the address information specified by this pointer (PTR) resource record.

Notes







To add a resource record to a zone




1. Open DNS.

2. In the console tree, right-click the applicable zone and click Other New Records.

of 162



3. In Select a resource record type list box, select the type of resource record you want to add.

4. Click Create Record.

5. In New Resource Record, enter the information needed to complete the resource record.

6. After you specify all of the necessary information for the resource record, click OK to add the new record to the zone.

Notes





2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData

Value Description






/Aging

Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.

of 162



RRType RRData

Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record. For information about each resource record type see the Resource records reference.

Resource record type Resource record data

A IPAddress

NS,CNAME,MB,MD,PTR,MF,MG,MR HostName|DomainName

MX,RT,AFSDB Preference ServerName

SRV Priority Weight Port HostName

SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL

AAAA Ipv6Address

TXT,X25,HINFO,ISDN String [String]

MINFO,RP MailboxName ErrMailboxName

WKS Protocol IPAddress Service...

WINS MapFlag LookupTimeout CacheTimeout IPAddress...

WINSR MapFlag LookupTimeout CacheTimeout RstDomainName

Value Description

IPAddress Specifies a standard IP address. For example, 255.255.255.255.

ipv6Address Specifies a standard IPv6 address. For example, 1:2:3:4:5:6:7:8.

of 162


Protocol Specifies the transmission protocol: UDP or TCP.

Service Specifies a standard service. For example, domain, smtp.

HostName|DomainName Specifies the FQDN of a resource record located in the DNS namespace.

Notes






Between brackets ([]) Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font Code or program output






of 162

To modify an existing resource record in a zone




1. Open DNS.


3. In the details pane, right-click the resource record you want to modify, and then click Properties.

4. In Properties, edit the properties that can be modified.

If necessary, you can view and modify advanced resource record properties for the DNS console. To display advanced properties, on the View menu, click Advanced.

5. Click OK when you have finished modifying the record.

Notes



When Advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).



2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData

Value Description


ServerName Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local

of 162



computer, you can also type a period (.).




RRType RRData

Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record. For information about each resource record type see the Resource records reference.


A IPAddress





AAAA Ipv6Address






Value Description

of 162







Notes






To delete a resource record from a zone




1. Open DNS.


3. In the details pane, right-click the resource record you want to delete, and then click Delete.

4. When you are asked to confirm that you want to delete the selected resource record, click OK.

Notes

of 162








2. Type:

dnscmdServerName/RecordDeleteZoneNameNodeNameRRTypeRRData [/f]

Value Description



/RecordDelete Required. Deletes a resource record.



RRType RRData Required. Specifies the type of resource record (RR) to add, followed by the data to be contained in the resource record. For information about each resource record type see the Resource records reference.


A IPAddress

of 162






AAAA Ipv6Address






Value Description






/f Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource record.

of 162

Important

If the parameter RRData is not specified, all resource records of the same type are deleted.

Notes





dnscmd /RecordDelete /help

If the variable RRData is not specified, all resource record types matching the previous criteria are deleted.


To view unsupported resource records in a zone

1. Open DNS.


3. In the details pane, right-click the record you want to view, then click Properties.

4. In Properties, view properties specific to this record.

5. When you have finished viewing the record, click OK.

Notes

of 162



The DNS console allows you to view unsupported resource records (RRs) in secondary zones that are obtained from other DNS server implementations, such as DNS servers running versions of BIND. These records are not used by DNS servers running Windows Server 2003 and cannot be managed through the DNS console. These types of records include legacy records, such as mail forwarder (MF) and mail domain (MD) resource records (RRs).

To modify security for a resource record

1. Open DNS.


3. In the details pane, click the record you want to view.


5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed.

Notes



Secure dynamic updates are only supported or configurable for resource records in zones stored in Active Directory.

Security settings applied to resource records only affect dynamic updates. These security settings do not affect who may administer the zone where these resource records are located. For information on the security settings that affect who may administer a zone, see Related Topics.

of 162





Resource records with the same name share the same resource record security settings. The names of resource records are listed in the Name column of the DNS console.


Use aging and scavenging

Set aging/scavenging properties for the DNS server

Set aging/scavenging properties for a zone

Enable automatic scavenging of stale resource records

Start immediate scavenging of stale resource records

View when a zone can start scavenging stale records

Reset scavenging and aging properties for a specified resource record

To set aging/scavenging properties for the DNS server




1. Open DNS.

2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.

3. Select the Scavenge stale resource records check box.

4. Modify other aging and scavenging properties as needed.

Notes



of 162










Aging and scavenging properties configured by this procedure act as server defaults that apply only toward Active Directory-integrated zones. For standard primary zones, you must set the appropriate properties at the applicable zone.

Once you apply changes for server aging/scavenging settings, the DNS console prompts you to confirm. You then have the option to apply your changes to new Active Directory-integrated zones only. If needed, you can also apply your changes to existing Active Directory-integrated zones.

Regardless of whether the Scavenge stale resource records check box is selected as described in step 4, for standard primary zones, this feature is disabled unless manually enabled at the applicable zone.



2. Type:

dnscmdServerName/Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value}

Value Description




/ScavengingInterval Required. Sets the frequency by which the server will perform scavenging for all scavenging-enabled zones.

/DefaultAgingState Required. Sets the default aging configuration for all zones on the server.

/DefaultNoRefreshInterval Required. Sets the default No-refresh interval for scavenging-enabled zones.

/DefaultRefreshInterval Sets the default Refresh interval for scavenging-enabled zones.

Value For /ScavengingInterval, type a value in hours. The default is 168 (one week). For /DefaultAgingState, type 1 to enable aging for new zones when they are created. Type 0 to disable aging for

of 162

new zones. For /DefaultNoRefreshInterval, type a value in hours. The default is 168 (one week). For /DefaultRefreshInterval, type a value in hours. The default is 168 (one week).

Notes






To set aging/scavenging properties for a zone




1. Open DNS.

2. In the console tree, right-click the applicable zone, then click Properties.

3. On the General tab, click Aging.

4. Select the Scavenge stale resource records check box.

5. Modify other aging and scavenging properties as needed.

Notes


of 162






2. Type:

dnscmdServerName/Config {ZoneName|..AllZones} {/AgingValue|/RefreshInterval Value|/NoRefreshInterval Value}

Value Description




ZoneName|..AllZonesRequired. Specifies the name of the zone to which you want to set aging and scavenging. To apply the operation to all zones, use ..AllZones.

/Aging Required. Enables aging for zones.

/RefreshInterval Required. Specifies the Refresh interval for a scavenging-enabled zone.

/NoRefreshInterval Required. Specifies the No-refresh interval for a scavenging-enabled zone.

Value

Required. For /Aging, type 1 to enable aging. Type 0 to disable aging. For /RefreshInterval, type a value in hours. The default setting is 168 hours (one week). For /NoRefreshInterval, type a value in seconds. The standard setting is 3600 (one hour).

Notes


of 162




To enable automatic scavenging of stale resource records

1. Open DNS.



4. Select the Enable automatic scavenging of stale records check box.

5. To adjust the Scavenging period, select from the drop-down list an interval in either hours or days, and then type a number in the text box.

Notes



To start immediate scavenging of stale resource records




1. Open DNS.

2. In the console tree, right-click the applicable DNS server, then click Scavenge Stale Resource Records.

3. When asked to confirm that you want to scavenge all stale resource records on the server, click OK.

of 162



Notes





2. Type:

dnscmdServerName/StartScavenging

Value Description



/StartScavenging Required. Initiates resource record scavenging.

Notes





dnscmd /StartScavenging /help

of 162

To view when a zone can start scavenging stale records




1. Open DNS.

2. On the View menu, click Advanced.

3. Right-click the applicable zone, then click Properties.

4. On the General tab, click Aging.

5. Under Refresh interval, view when the zone is first eligible to be scavenged for stale resource records.

Notes



The start scavenging date and time stamp are used to determine when zone scavenging starts. For more information, see Related Topics.

After the start scavenging date and time stamp are reached, scavenging can occur only if the Scavenge stale resource records check box is selected. If the check box is cleared, scavenging for the zone cannot be performed.



2. Type:

dnscmdServer/ZoneInfoZoneNameRefreshInterval

Value Description

of 162





/ZoneInfo Required. Displays configuration information.


RefreshInterval Required. Specifies the configuration property that displays when the zone is first eligible to be scavenged for stale resource records. The output value is in hours. The default setting is 168 hours (one week).

Notes




dnscmd /ZoneInfo /help

To reset scavenging and aging properties for a specified resource record




1. Open DNS.


3. In the details pane, double-click the resource record for which you want to reset scavenging and aging properties.

4. Depending on the how the resource record was originally added to the zone, do one of the following:

o If the record was added dynamically using dynamic update, you can clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If dynamic updates to this record continue to

of 162



occur, the DNS server will always reset this check box so that the dynamically updated record can be deleted.

o If you added the record statically, you can select Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process.

Notes



This procedure is only necessary for resource records that are dynamically registered. For records that you manually add to a zone, a time stamp value of zero always applies to the record, excluding it from the scavenging process.

Scavenging and aging properties for NS and SOA resource records are reset in the properties for the zone, not the properties for the resource record.



2. Type: dnscmd ServerName /Config {ZoneName|..AllZones} /ScavengingInterval Value

Value Description





/ScavengingInterval Required. Sets the scavenging interval.

Value Required. The new value for the scavenging interval, specified in of 162

hours. The default is 168 (one week).

Notes






Concepts

This section provides general background information about Domain Name System (DNS) and the DNS Server service, as well as details about supporting software provided for DNS clients running under Microsoft operating systems.

DNS Overview

Understanding DNS

Deploying DNS

Administering DNS

DNS Resources

DNS Overview



DNS overview

This section covers:

DNS defined

of 162







DNS tools

Server features

Client features

Security information for DNS

New features for DNS

DNS defined

DNS is an abbreviation for Domain Name System, a system for naming computers and network services that is organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate computers and services through user-friendly names. When a user enters a DNS name in an application, DNS services can resolve the name to other information associated with the name, such as an IP address.

For example, most users prefer a friendly name such as example.microsoft.com to locate a computer such as a mail or Web server on a network. A friendly name can be easier to learn and remember. However, computers communicate over a network by using numeric addresses. To make the use of network resources easier, name systems such as DNS provide a way to map the user-friendly name for a computer or service to its numeric address.

The following figure shows a basic use of DNS, which is finding the IP address of a computer based on its name.

In this example, a client computer queries a DNS server, asking for the IP address of a computer configured to use host-a.example.microsoft.com as its DNS domain name. Because the DNS server is able to answer the query based on its local database, it replies with an answer containing the requested information, which is a host (A) resource record that contains the IP address information for host-a.example.microsoft.com.

of 162






The example shows a simple DNS query between a single client and DNS server. In practice, DNS queries can be more involved than this and include additional steps not shown here. For more information, see How DNS query works.

Note

For additional background information about other DNS concepts, see Understanding DNS.

DNS tools

There are a number of utilities for administering, monitoring, and troubleshooting both DNS servers and clients. These utilities include:

The DNS console, which is part of Administrative Tools.

Command-line utilities, such as Nslookup, which can be used to troubleshoot DNS problems.

Logging features, such as the DNS server log, which can be viewed using the DNS console or Event Viewer. File-based logs can also be used temporarily as an advanced debugging option to log and trace selected service events.

Performance monitoring utilities, such as statistical counters to measure and monitor DNS server activity with System Monitor.

Windows Management Instrumentation (WMI), a standard technology for accessing management information in an enterprise environment.

Platform Software Developer Kit (SDK).

The DNS console

The primary tool that you use to manage DNS servers is the DNS console, which is located in the Administrative Tools folder in the Start menu's Programs folder. The DNS console can be used on its own or as a Microsoft Management Console (MMC) , further integrating DNS administration into your total network management.

The DNS console can only be used after DNS is installed on the server. You can use the DNS console to perform these basic administrative server tasks:

1. Performing initial configuration of a new DNS server.

of 162




2. Connecting to and managing a local DNS server on the same computer, or remote DNS servers on other computers.

3. Adding and removing forward and reverse lookup zones as needed.

4. Adding, removing, and updating resource records in zones.

5. Modifying how zones are stored and replicated between servers.

6. Modifying how servers process queries and handle dynamic updates.

7. Modifying security for specific zones or resource records.

In addition, you can also use the DNS console to perform the following tasks:

Perform maintenance on the server. You can start, stop, pause, or resume the server, or manually update server data files.

Monitor the contents of the server cache and, as needed, clear it.

Tune advanced server options.

Configure and perform aging and scavenging of stale resource records stored by the server.

Important

The DNS console can only be used to manage DNS servers running Microsoft® Windows® and cannot be used to manage other DNS servers, such as BIND.

Notes

The DNS console provides new ways to perform familiar DNS administrative tasks previously performed in Microsoft® Windows® NT Server 4.0 using DNS Manager. For more information, see New ways to do familiar DNS tasks.

To use the DNS console from another non-server computer, such as one running Microsoft® Windows® XP Professional, you must install the Windows Server 2003 Administration Tools Pack

For information on installing DNS, see Install a DNS server.

Command-line utilities

There are several command-line utilities you can use to manage and troubleshoot DNS servers and clients. The following table describes each of these utilities, which can be run either by typing them at a command prompt or by entering them in batch files for scripted use.

of 162



Command Description

Nslookup Used to perform query testing of the DNS domain namespace. For more information, see Nslookup.

Dnscmd

A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. For more information, see Server administration using Dnscmd.

Ipconfig

This command is used to view and modify IP configuration details used by the computer. Additional command-line options are included with this utility to provide help in troubleshooting and supporting DNS clients. For more information, see Flush and reset a client resolver cache using the ipconfig command or Renew DNS client registration using the ipconfig command.

Event monitoring utilities

The Windows Server 2003 family includes two options for monitoring DNS servers:

Default logging of DNS server event messages to the DNS server log.

DNS server event messages are separated and kept in their own system event log, the DNS server log, which can be viewed using the DNS console or Event Viewer. For more information, see View the DNS server system event log.

The DNS server log contains events logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, such as when the server starts but cannot locate initializing data, such as zones or boot information stored in the registry or (in some cases) Active Directory.

The event types logged by DNS servers can be changed using the DNS console. For more information, see DNS server log reference.

You can use Event Viewer to view and monitor client-related DNS events. These appear in the System log and are written by the DNS Client service at any computers running Windows (all versions). For more information, see Windows interface administrative tool reference A-Z: Event Viewer.

Optional debug options for trace logging to a text file on the DNS server computer.

You can also use the DNS console to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file created and used for this feature, Dns.log, is stored in the systemroot\System32\Dns folder.

of 162










Performance monitoring utilities

Performance monitoring for DNS servers can be done using additional service-specific counters that measure DNS server performance. These counters are accessible through System Monitor, which is provided in the Performance console.

When using System Monitor, you can create charts and graphs of server performance trends over time for any of your DNS servers. These can be further studied and analyzed to determine if additional server tuning is needed.

By measuring and reviewing server metrics over a period of time, it is possible to determine performance benchmarks and decide if further adjustments can be made to optimize the system. For more information, see Monitoring DNS server performance.

Windows Management Instrumentation (WMI)

WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components in an enterprise environment. For more information about Windows Management Instrumentation, see the Microsoft Platform SDK Web site.

Platform Software Developer Kit (SDK)

Computers running a product in the Windows Server 2003 family provide functions that enable application programmers to use DNS, such as programmatically making DNS queries, comparing records, and looking up names.

Programmable DNS components are designed for use by C/C++ programmers. Familiarity with networking and with DNS is required. Programmers should be familiar with the IP protocol suite, as well as the DNS protocol and how DNS operates.

Note

For more information about manageability, see Management Strategies and Tools.

Server features

The Domain Name System (DNS) Server service provides the following:

of 162


http://go.microsoft.com/fwlink/?LinkID=3655


An RFC-compliant DNS server

DNS is an open protocol and is standardized by a set of Request for Comments (RFCs). Microsoft supports and complies with these standard specifications.

For more information, see DNS RFCs.

Interoperability with other DNS server implementations

Because the DNS Server service is RFC-compliant and can use standard DNS data file and resource record formats, it can successfully work with most other DNS server implementations, such as those that use the Berkeley Internet Name Domain (BIND) software.

For more information, see Interoperability issues.

Support for Active Directory

DNS is required for support of the Active Directory® directory service. If you install Active Directory on a server, you can automatically install and configure a DNS server if a DNS server that meets the Active Directory requirements cannot be located.

First, in the Active Directory Installation Wizard, you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. Later in the installation process, the wizard tests for the following:

1. Based on its TCP/IP client configuration, it checks to see whether a preferred DNS server is configured for its use.

2. If a preferred DNS server is available, it queries to find the primary authoritative server for the DNS name of the Active Directory domain you specified earlier in the wizard.

3. It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the dynamic update protocol (RFC 2136).

4. If, at this point in the process, a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory, you are provided with the option to install the DNS Server service locally.

5. If you choose to install the DNS Server service locally, the IP address for the current preferred DNS server is used to configure a forwarder on the local DNS server. This configuration maintains any existing resolution to an Internet Service Provider (ISP).

In general, the use of the Windows Server 2003 DNS Server service is strongly recommended for the best possible integration and support of Active Directory and

of 162



enhanced DNS server features. You can, however, use another type of DNS server to support Active Directory deployment.

When using other types of DNS servers, consider additional issues related to DNS interoperability. For more information, see Interoperability issues.

Note

o This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

Enhancements to DNS zone storage in Active Directory

DNS zones can be stored in the domain or application directory partitions of Active Directory. A partition is a data structure within Active Directory used to distinguish data for different replication purposes. You can specify in which Active Directory partition to store the zone and, consequently, the set of domain controllers between which that zone's data will be replicated.

For more information, see DNS zone replication in Active Directory.

Note

o This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

Conditional forwarders

The DNS Server service extends a standard forwarder configuration with conditional forwarders. A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

For more information, see Understanding forwarders.

Stub zones

DNS supports a new zone type called a stub zone. A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone. You can use a stub zone instead of a secondary zone in situations where replicating all the zone data would be undesirable, such as over a slow network link. Note, however, that this replication efficiency is at the expense of resolution efficiency because the server hosting the stub zone is not authoritative for the zone and so must refer all queries for the zone to other servers.

of 162






For more information, see Understanding stub zones.

Enhanced DNS security features

DNS provides enhanced security administration for the DNS Server service, the DNS Client service, and DNS data. For more information, see Security information for DNS.

Integration with other Microsoft networking services

The DNS Server service offers integration with other services and contains features beyond those specified in the RFCs. These include integration with Active Directory, WINS, and DHCP services.

For more information, see Active Directory integration; WINS lookup integration; Dynamic update.

Improved ease of administration

The DNS console offers an improved graphical user interface for managing the DNS Server service. Also, there are several configuration wizards for performing common server administration tasks. In addition to the DNS console, other tools are provided to help you better manage and support DNS servers and clients on your network.

For more information, see DNS tools.

RFC-compliant dynamic update protocol support

The DNS Server service allows clients to dynamically update resource records, based on the dynamic update protocol (RFC 2136). This improves DNS administration by reducing the time needed to manually manage these records. Computers running the DNS Client service can dynamically register their DNS names and IP addresses.

For more information, see Dynamic update.

Support for incremental zone transfer between servers

Zone transfers are used between DNS servers to replicate information about a portion of the DNS namespace. Incremental zone transfer is used to replicate only the changed portions of a zone, conserving network bandwidth.

For more information, see Understanding zones and zone transfer.

Support for new resource record types

The DNS Server service includes support for several new resource record (RR) types. These types, which include the service location (SRV) and ATM address (ATMA) RRs, expand the possibilities for using DNS as a names database service.

of 162









Client features

The Domain Name System (DNS) Client service is used to resolve DNS domain names and implements the following features:

System-wide caching

Resource records (RRs) from query responses are added to the client cache as applications query DNS servers. This information is then cached for a set Time to Live (TTL) and can be used again to answer subsequent queries.

RFC-compliant negative caching support

In addition to caching positive query responses from DNS servers (which contain resource record information in the answered reply), the DNS Client service also caches negative query responses. A negative response results when a resource record for the queried name does not exist.

Negative caching prevents the repeating of additional queries for names that do not exist, which can adversely affect client system performance. Any query information negatively cached is kept for a shorter period of time than is used for positive query responses; by default, no more than 5 minutes. This avoids continued negative caching of stale information if the records later become available.

Negative caching is a new DNS standard specification defined in RFC 2308. For more information, refer to this RFC. For more information on obtaining RFCs, see TCP/IP RFCs.

Avoidance of unresponsive DNS servers

The DNS Client service uses a server search list, ordered by preference. This list includes all preferred and alternate DNS servers configured for each of the active network connections on the system.

The list is arranged based on the following criteria:

1. Preferred DNS servers are given first priority.

2. If no preferred DNS servers are available, then alternate DNS servers are used.

3. Unresponsive servers are removed temporarily from these lists.

Important

The DHCP Client service initiates dynamic registration for client DNS names. For more information, see Dynamic update or Using DNS servers with DHCP.

of 162





Security information for DNS

Domain Name System (DNS) was originally designed as an open protocol and is therefore vulnerable to attackers. Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure through the addition of security features. Before considering which of the security features to use, you should be aware of the common threats to DNS security and the level of DNS security in your organization.

DNS security threats

The following are the typical ways in which your DNS infrastructure can be threatened by attackers:

Footprinting is the process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker commonly begins an attack by using this DNS data to diagram, or footprint, a network. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network.

Denial-of-service attack is when an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. As a DNS server is flooded with queries, its CPU usage will eventually reach its maximum and the DNS Server service will become unavailable. Without a fully operating DNS server on the network, network services that use DNS will become unavailable to network users.

Data modification is an attempt by an attacker (that has footprinted a network using DNS) to use valid IP addresses in IP packets the attacker has created, thereby giving these packets the appearance of coming from a valid IP address in the network. This is commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can gain access to the network and destroy data or conduct other attacks.

Redirection is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers under the control of the attacker. For example, if a query were originally made for example.microsoft.com and a referral answer provided a record for a name outside of the microsoft.com domain, such as malicious-user.com, then the DNS server would use the cached data for malicious-user.com to resolve a

of 162

query for that name. Redirection can be accomplished whenever an attacker has writable access to DNS data, such as with insecure dynamic updates.

Mitigating DNS security threats

DNS can be configured to mitigate the common DNS security issues discussed above. The following table lists five main areas on which to concentrate when determining your DNS security.

DNS security area

Description

DNS namespace

Incorporate DNS security into your DNS namespace design. For more information, see Securing DNS deployment.

DNS Server service

Review the default DNS Server service security settings and apply Active Directory security features when the DNS Server service is running on a domain controller. For more information, see Securing the DNS Server service.

DNS zonesReview the default DNS zone security settings and apply secure dynamic updates and Active Directory security features when the DNS zone is hosted on a domain controller. For more information, see Securing DNS zones.

DNS resource records

Review the default DNS resource record (RR) security settings and apply Active Directory security features when the DNS resource records are hosted on a domain controller. For more information, see Securing DNS resource records.

DNS clients Control the DNS server IP addresses used by DNS clients. For more information, see Securing DNS clients.

Three levels of DNS security

The following three levels of DNS security will help you understand your current DNS configuration and enable you to increase the DNS security of your organization.

Low-level security

Low-level security is a standard DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity.

The DNS infrastructure of your organization is fully exposed to the Internet.

Standard DNS resolution is performed by all DNS servers in your network.

of 162







All DNS servers are configured with root hints pointing to the root servers for the Internet.

All DNS servers permit zone transfers to any server.

All DNS servers are configured to listen on all of their IP addresses.

Cache pollution prevention is disabled on all DNS servers.

Dynamic update is allowed for all DNS zones.

User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses.

Medium-level security

Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.

The DNS infrastructure of your organization has limited exposure to the Internet.

All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.

All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones.

DNS servers are configured to listen on specified IP addresses.

Cache pollution prevention is enabled on all DNS servers.

Nonsecure dynamic update is not allowed for any DNS zones.

Internal DNS servers communicate with external DNS servers through the firewall with a limited list of source and destination addresses allowed.

External DNS servers in front of your firewall are configured with root hints pointing to the root servers for the Internet.

All Internet name resolution is performed using proxy servers and gateways.

High-level security

High-level security uses the same configuration as medium-level security and also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required.

of 162

The DNS infrastructure of your organization has no Internet communication by internal DNS servers.

Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.

DNS servers that are configured with forwarders use internal DNS server IP addresses only.

All DNS servers limit zone transfers to specified IP addresses.

DNS servers are configured to listen on specified IP addresses.

Cache pollution prevention is enabled on all DNS servers.

Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace.

All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server.

All DNS zones are stored in Active Directory. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.

DACLs are configured on DNS resource records to only allow specific individuals to create, delete, or modify DNS data.

Secure dynamic update is configured for DNS zones, except the top-level and root zones, which do not allow dynamic updates at all.





The following new Domain Name System (DNS) features and feature enhancements are available with the Microsoft® Windows Server™ 2003 family.

Improved domain controller name resolution

In response to DNS name resolution failures that may be encountered during location of replication partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which results in fewer failures due to DNS delays and

of 162

misconfiguration. For more information about DNS name resolution, see How DNS Support for Active Directory Works on the Microsoft Web site.

Conditional forwarders

Forward DNS queries according to the DNS domain name in the query using conditional forwarders. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

For more information, see Using forwarders.

Stub zones

Using stub zones, keep a DNS server hosting a parent zone aware of the authoritative DNS servers for its child zone and, thereby, maintain DNS name resolution efficiency.

For more information, see Understanding stub zones.

DNS zone replication in Active Directory

Choose from four default replication options for Active Directory-integrated DNS zone data.

For more information, see DNS zone replication in Active Directory.

Enhanced DNS security features

DNS provides greater precision in its security administration for the DNS Server service, the DNS Client service, and DNS data.

For more information, see Security information for DNS.

Round robin all resource record (RR) types

By default, the DNS Server service will perform round-robin rotation for all resource record (RR) types.

For more information, see Configuring round robin.

Enhanced debug logging

Use the enhanced DNS Server service debug logging settings to troubleshoot DNS problems.

For more information, see Using server debug logging options.

DNSSEC

of 162







http://go.microsoft.com/fwlink/?LinkId=38335

DNS provides basic support of DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535.

For more information, see Using DNS Security Extensions (DNSSEC).

EDNS0

Enable DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 octets, the original DNS restriction for UDP packet size (RFC 1035).

For more information, see Using Extension Mechanisms for DNS (EDNS0).

Control automatic NS resource record registration on a server and a zone basis

of 162



dns best practices

Documents

hkeylocalmachinesystemcurrentcontrolsetservicesdnsparamete

net logon

enterprise

root hints

fully qualified

fast transfer

dnscmd createdirectorypartition

click control